From 54d5b167aea707c2ad0cf3677c4b7b91ae86dc30 Mon Sep 17 00:00:00 2001 From: Steven Goossens Date: Thu, 2 Jul 2020 23:06:51 +0200 Subject: [PATCH 001/254] Initial rule to detect abuse of desktopimgdownldr.exe as described in https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ --- .../win_susp_desktopimgdownldr_command.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/file_event/win_susp_desktopimgdownldr_command.yml diff --git a/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml b/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml new file mode 100644 index 000000000..dda32e17d --- /dev/null +++ b/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml @@ -0,0 +1,30 @@ +title: Suspicious desktopimgdownldr Command +id: e011a729-98a6-4139-b5c4-bf6f6dd8239a +status: experimental +description: Detects a suspicious Microsoft desktopimgdownldr execution where the systemroot is changed to writable directory +author: Steven Goossens +modified: 2020/07/02 +date: 2020/07/02 +references: + - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ +logsource: + category: file_creation + product: windows +detection: + selection: + Image: + - '*desktopimgdownldr.exe' + filter: + TargetFileName: + - 'C:\Windows\Personalization\LockScreenImage' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.ta0005 + - attack.t1140 + - attack.t1105 +falsepositives: +level: high From 4c05e27aa53e7eb47768e4da1b90d40aa3acc600 Mon Sep 17 00:00:00 2001 From: Steven Goossens Date: Thu, 2 Jul 2020 23:12:26 +0200 Subject: [PATCH 002/254] Changed UUID --- rules/windows/file_event/win_susp_desktopimgdownldr_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml b/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml index dda32e17d..e38bcc165 100644 --- a/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml +++ b/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml @@ -1,5 +1,5 @@ title: Suspicious desktopimgdownldr Command -id: e011a729-98a6-4139-b5c4-bf6f6dd8239a +id: 9b565325-4b31-4c1a-abfc-9aa0c411e1b8 status: experimental description: Detects a suspicious Microsoft desktopimgdownldr execution where the systemroot is changed to writable directory author: Steven Goossens From 8b74abe0bcb6727c4093730203a26483a0c922fb Mon Sep 17 00:00:00 2001 From: Steven Date: Wed, 30 Sep 2020 20:44:14 +0200 Subject: [PATCH 003/254] - Created new categories for sysmon events - Replaced the explicit EventIDs with the reference to the category - Moved the rules to the corresponding directories --- .../sysmon_cactustorch.yml | 2 +- .../sysmon_cobaltstrike_process_injection.yml | 2 +- .../sysmon_createremotethread_loadlibrary.yml | 2 +- .../sysmon_password_dumper_lsass.yml | 2 +- .../sysmon_susp_powershell_rundll32.yml | 2 +- .../sysmon_suspicious_remote_thread.yml | 2 +- .../sysmon_ads_executable.yml | 5 +- .../sysmon_possible_dns_rebinding.yml | 2 +- .../sysmon_abusing_azure_browser_sso.yml | 3 +- ...sysmon_alternate_powershell_hosts_pipe.yml | 2 +- .../sysmon_apt_turla_namedpipes.yml | 4 +- .../sysmon_cred_dump_tools_named_pipes.yml | 2 +- .../sysmon_mal_namedpipes.yml | 6 +- .../sysmon_cmstp_execution.yml | 13 ++- ...w_disk_access_using_illegitimate_tools.yml | 5 +- .../sysmon_wmi_event_subscription.yml | 1 + .../sysmon_wmi_susp_scripting.yml | 2 +- tools/config/generic/sysmon.yml | 94 ++++++++++++++----- 18 files changed, 96 insertions(+), 55 deletions(-) rename rules/windows/{sysmon => create_remote_thread}/sysmon_cactustorch.yml (96%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_cobaltstrike_process_injection.yml (96%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_createremotethread_loadlibrary.yml (95%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_password_dumper_lsass.yml (95%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_susp_powershell_rundll32.yml (95%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_suspicious_remote_thread.yml (98%) rename rules/windows/{sysmon => create_stream_hash}/sysmon_ads_executable.yml (90%) rename rules/windows/{sysmon => dns_query}/sysmon_possible_dns_rebinding.yml (98%) rename rules/windows/{sysmon => image_load}/sysmon_abusing_azure_browser_sso.yml (96%) rename rules/windows/{sysmon => pipe_created}/sysmon_alternate_powershell_hosts_pipe.yml (97%) rename rules/windows/{sysmon => pipe_created}/sysmon_apt_turla_namedpipes.yml (95%) rename rules/windows/{sysmon => pipe_created}/sysmon_cred_dump_tools_named_pipes.yml (96%) rename rules/windows/{sysmon => pipe_created}/sysmon_mal_namedpipes.yml (96%) rename rules/windows/{sysmon => process_creation}/sysmon_cmstp_execution.yml (88%) rename rules/windows/{sysmon => raw_access_thread}/sysmon_raw_disk_access_using_illegitimate_tools.yml (92%) rename rules/windows/{sysmon => wmi_event}/sysmon_wmi_event_subscription.yml (96%) rename rules/windows/{sysmon => wmi_event}/sysmon_wmi_susp_scripting.yml (97%) diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml similarity index 96% rename from rules/windows/sysmon/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/sysmon_cactustorch.yml index 9b8b5ec95..403f8d506 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -11,9 +11,9 @@ modified: 2020/08/28 logsource: product: windows service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 SourceImage: - '*\System32\cscript.exe' - '*\System32\wscript.exe' diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml similarity index 96% rename from rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index e2b972247..86e089169 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -15,9 +15,9 @@ modified: 2020/08/28 logsource: product: windows service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 TargetProcessAddress|endswith: - '0B80' - '0C7C' diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml similarity index 95% rename from rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index bf831b326..4266f0cbc 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -14,9 +14,9 @@ tags: logsource: product: windows service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 StartModule|endswith: '\kernel32.dll' StartFunction: 'LoadLibraryA' condition: selection diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml similarity index 95% rename from rules/windows/sysmon/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index a8d8db9b7..9f49922c4 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -9,9 +9,9 @@ date: 2017/02/19 logsource: product: windows service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 TargetImage: 'C:\Windows\System32\lsass.exe' StartModule: '' condition: selection diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 652da06fa..fc269c0ed 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -9,9 +9,9 @@ date: 2018/06/25 logsource: product: windows service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 SourceImage: '*\powershell.exe' TargetImage: '*\rundll32.exe' condition: selection diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml similarity index 98% rename from rules/windows/sysmon/sysmon_suspicious_remote_thread.yml rename to rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml index fe2dee61a..e8b5bc984 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -15,13 +15,13 @@ references: logsource: product: windows service: sysmon + category: create_remote_thread tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 detection: selection: - EventID: 8 SourceImage|endswith: - '\bash.exe' - '\cvtres.exe' diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml similarity index 90% rename from rules/windows/sysmon/sysmon_ads_executable.yml rename to rules/windows/create_stream_hash/sysmon_ads_executable.yml index 7eaed87c7..c228dfc23 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -14,16 +14,15 @@ date: 2018/06/03 modified: 2020/08/26 logsource: product: windows + category: create_stream_hash service: sysmon definition: 'Requirements: Sysmon config with Imphash logging activated' detection: - selection: - EventID: 15 filter1: Imphash: '00000000000000000000000000000000' filter2: Imphash: null - condition: selection and not 1 of filter* + condition: not 1 of filter* fields: - TargetFilename - Image diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml similarity index 98% rename from rules/windows/sysmon/sysmon_possible_dns_rebinding.yml rename to rules/windows/dns_query/sysmon_possible_dns_rebinding.yml index 5284ec125..d36d86358 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml @@ -13,9 +13,9 @@ tags: logsource: product: windows service: sysmon + category: dns_query detection: dns_answer: - EventID: 22 QueryName: '*' QueryStatus: '0' filter_int_ip: diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml similarity index 96% rename from rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml rename to rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml index 69f18bf0a..910843ce3 100644 --- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml @@ -7,7 +7,7 @@ reference: date: 2020/07/15 modified: 2020/08/26 logsource: - category: sysmon + category: image_load product: windows status: experimental tags: @@ -18,7 +18,6 @@ tags: detection: condition: selection_dll and not filter_legit selection_dll: - EventID: 7 ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll filter_legit: Image|endswith: diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml similarity index 97% rename from rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml rename to rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 4e064bc8e..0f8349222 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -14,9 +14,9 @@ tags: logsource: product: windows service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|startswith: '\PSHost' filter: Image|endswith: diff --git a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml similarity index 95% rename from rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml rename to rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index f3c3f24cf..81f637082 100755 --- a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -11,12 +11,10 @@ author: Markus Neis logsource: product: windows service: sysmon + category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - '\userpipe' # ruag apt case diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml similarity index 96% rename from rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml rename to rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 393aa87b3..8ffa62c2d 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -16,9 +16,9 @@ tags: logsource: product: windows service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|contains: - '\lsadump' - '\cachedump' diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml similarity index 96% rename from rules/windows/sysmon/sysmon_mal_namedpipes.yml rename to rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 7a5f81216..8b3a96577 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -9,12 +9,10 @@ author: Florian Roth logsource: product: windows service: sysmon - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\isapi_http' # Uroburos Malware Named Pipe - '\isapi_dg' # Uroburos Malware Named Pipe diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml similarity index 88% rename from rules/windows/sysmon/sysmon_cmstp_execution.yml rename to rules/windows/process_creation/sysmon_cmstp_execution.yml index 5bf2897cf..faa2a4de4 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution.yml @@ -28,20 +28,23 @@ level: high logsource: product: windows service: sysmon + category: registry_event detection: # Registry Object Add selection2: - EventID: 12 TargetObject: '*\cmmgr32.exe*' EventType: 'CreateKey' # Registry Object Value Set selection3: - EventID: 13 TargetObject: '*\cmmgr32.exe*' - # Process Access Call Trace +--- +logsource: + product: windows + service: sysmon + category: process_access +detection: selection4: - EventID: 10 - CallTrace: '*cmlua.dll*' + Calltrace: '*cmlua.dll*' --- logsource: category: process_creation diff --git a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml similarity index 92% rename from rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml rename to rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 0f4ec0b92..63890d408 100644 --- a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -11,9 +11,8 @@ tags: logsource: product: windows service: sysmon + category: raw_access_thread detection: - selection: - EventID: 9 filter_1: Device|contains: floppy filter_2: @@ -32,7 +31,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' - condition: selection and not filter_1 and not filter_2 + condition: not filter_1 and not filter_2 fields: - ComputerName - Image diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml similarity index 96% rename from rules/windows/sysmon/sysmon_wmi_event_subscription.yml rename to rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index df6b6e440..5bcd53f66 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -11,6 +11,7 @@ date: 2019/01/12 logsource: product: windows service: sysmon + category: wmi_event detection: selector: EventID: diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml similarity index 97% rename from rules/windows/sysmon/sysmon_wmi_susp_scripting.yml rename to rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index e1f150b77..deebe6b25 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -14,9 +14,9 @@ tags: logsource: product: windows service: sysmon + category: wmi_event detection: selection: - EventID: 20 Destination: - '*new-object system.net.webclient).downloadstring(*' - '*new-object system.net.webclient).downloadfile(*' diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 2d650f703..cd9436f45 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -17,11 +17,59 @@ logsources: rewrite: product: windows service: sysmon - dns_query: - category: dns_query + process_terminated: + category: process_termination product: windows conditions: - EventID: 22 + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 rewrite: product: windows service: sysmon @@ -36,44 +84,40 @@ logsources: rewrite: product: windows service: sysmon - file_creation: - category: file_event + create_stream_hash: + category: create_stream_hash product: windows conditions: - EventID: 11 + EventID: 15 rewrite: product: windows service: sysmon - process_access: - category: process_access + pipe_created: + category: pipe_created product: windows conditions: - EventID: 10 + EventID: + - 17 + - 18 rewrite: product: windows service: sysmon - image_loaded: - category: image_load + wmi_event: + category: wmi_event product: windows conditions: - EventID: 7 + EventID: + - 19 + - 20 + - 21 rewrite: product: windows service: sysmon - driver_loaded: - category: driver_load + dns_query: + category: dns_query product: windows conditions: - EventID: 6 + EventID: 22 rewrite: product: windows - service: sysmon - process_terminated: - category: process_termination - product: windows - conditions: - EventID: 5 - rewrite: - product: windows - service: sysmon - + service: sysmon \ No newline at end of file From 495b05572f71561c98dff074007f733ddcc70da0 Mon Sep 17 00:00:00 2001 From: Steven Date: Wed, 30 Sep 2020 20:49:05 +0200 Subject: [PATCH 004/254] Remove old file --- .../win_susp_desktopimgdownldr_command.yml | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 rules/windows/file_event/win_susp_desktopimgdownldr_command.yml diff --git a/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml b/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml deleted file mode 100644 index e38bcc165..000000000 --- a/rules/windows/file_event/win_susp_desktopimgdownldr_command.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious desktopimgdownldr Command -id: 9b565325-4b31-4c1a-abfc-9aa0c411e1b8 -status: experimental -description: Detects a suspicious Microsoft desktopimgdownldr execution where the systemroot is changed to writable directory -author: Steven Goossens -modified: 2020/07/02 -date: 2020/07/02 -references: - - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ -logsource: - category: file_creation - product: windows -detection: - selection: - Image: - - '*desktopimgdownldr.exe' - filter: - TargetFileName: - - 'C:\Windows\Personalization\LockScreenImage' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.ta0005 - - attack.t1140 - - attack.t1105 -falsepositives: -level: high From 0c9a82af89bd8691c1f3d75123cbbae8519936d0 Mon Sep 17 00:00:00 2001 From: Steven Date: Fri, 2 Oct 2020 09:37:52 +0200 Subject: [PATCH 005/254] - Remove 'service: sysmon' since defining the categories made the rules generic --- rules/windows/create_remote_thread/sysmon_cactustorch.yml | 1 - .../sysmon_cobaltstrike_process_injection.yml | 1 - .../sysmon_createremotethread_loadlibrary.yml | 1 - .../create_remote_thread/sysmon_password_dumper_lsass.yml | 1 - .../create_remote_thread/sysmon_susp_powershell_rundll32.yml | 1 - .../create_remote_thread/sysmon_suspicious_remote_thread.yml | 1 - rules/windows/create_stream_hash/sysmon_ads_executable.yml | 1 - rules/windows/dns_query/sysmon_possible_dns_rebinding.yml | 1 - .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 1 - rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml | 1 - .../windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml | 1 - rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 1 - .../sysmon_raw_disk_access_using_illegitimate_tools.yml | 1 - rules/windows/wmi_event/sysmon_wmi_event_subscription.yml | 1 - rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml | 1 - 15 files changed, 15 deletions(-) diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml index 403f8d506..dfdbcc7fa 100644 --- a/rules/windows/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -10,7 +10,6 @@ date: 2019/02/01 modified: 2020/08/28 logsource: product: windows - service: sysmon category: create_remote_thread detection: selection: diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index 86e089169..fb0e4c916 100644 --- a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -14,7 +14,6 @@ date: 2018/11/30 modified: 2020/08/28 logsource: product: windows - service: sysmon category: create_remote_thread detection: selection: diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 4266f0cbc..d2a497b27 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -13,7 +13,6 @@ tags: - attack.t1055.001 logsource: product: windows - service: sysmon category: create_remote_thread detection: selection: diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index 9f49922c4..802293759 100644 --- a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -8,7 +8,6 @@ author: Thomas Patzke date: 2017/02/19 logsource: product: windows - service: sysmon category: create_remote_thread detection: selection: diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index fc269c0ed..acd05005c 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -8,7 +8,6 @@ references: date: 2018/06/25 logsource: product: windows - service: sysmon category: create_remote_thread detection: selection: diff --git a/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml index e8b5bc984..d9433e19e 100644 --- a/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -14,7 +14,6 @@ references: - https://lolbas-project.github.io logsource: product: windows - service: sysmon category: create_remote_thread tags: - attack.privilege_escalation diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index c228dfc23..5829b5659 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -14,7 +14,6 @@ date: 2018/06/03 modified: 2020/08/26 logsource: product: windows - category: create_stream_hash service: sysmon definition: 'Requirements: Sysmon config with Imphash logging activated' detection: diff --git a/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml index d36d86358..bf301a32a 100644 --- a/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml @@ -12,7 +12,6 @@ tags: - attack.t1189 logsource: product: windows - service: sysmon category: dns_query detection: dns_answer: diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 0f8349222..a2f7e2bb6 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -13,7 +13,6 @@ tags: - attack.t1059.001 logsource: product: windows - service: sysmon category: pipe_created detection: selection: diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 81f637082..ac2069f83 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -10,7 +10,6 @@ tags: author: Markus Neis logsource: product: windows - service: sysmon category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 8ffa62c2d..ad56fd69a 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -15,7 +15,6 @@ tags: - attack.t1003.005 logsource: product: windows - service: sysmon category: pipe_created detection: selection: diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 8b3a96577..9381c00a0 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -8,7 +8,6 @@ date: 2017/11/06 author: Florian Roth logsource: product: windows - service: sysmon category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 63890d408..72fbafb62 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -10,7 +10,6 @@ tags: - attack.t1006 logsource: product: windows - service: sysmon category: raw_access_thread detection: filter_1: diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 5bcd53f66..fc1bb7513 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -10,7 +10,6 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 logsource: product: windows - service: sysmon category: wmi_event detection: selector: diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index deebe6b25..ae3a3ca03 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -13,7 +13,6 @@ tags: - attack.t1059.005 logsource: product: windows - service: sysmon category: wmi_event detection: selection: From 05d2de4c267856ff843e7aca3824d98ee453412e Mon Sep 17 00:00:00 2001 From: Steven Date: Fri, 2 Oct 2020 10:45:29 +0200 Subject: [PATCH 006/254] - Cleaned up some more rules where 'service: sysmon' was combined with category - Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml modified: rules/windows/malware/mal_azorult_reg.yml modified: rules/windows/powershell/powershell_suspicious_profile_create.yml modified: rules/windows/process_creation/sysmon_cmstp_execution.yml modified: rules/windows/process_creation/win_apt_chafer_mar18.yml modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml modified: rules/windows/process_creation/win_hktl_createminidump.yml modified: rules/windows/process_creation/win_mal_adwind.yml modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml --- .../win_invoke_obfuscation_obfuscated_iex_services.yml | 2 +- rules/windows/malware/mal_azorult_reg.yml | 5 +---- .../powershell/powershell_suspicious_profile_create.yml | 6 ++---- rules/windows/process_creation/sysmon_cmstp_execution.yml | 2 -- rules/windows/process_creation/win_apt_chafer_mar18.yml | 2 +- .../process_creation/win_apt_unidentified_nov_18.yml | 4 ++-- rules/windows/process_creation/win_hktl_createminidump.yml | 3 +-- rules/windows/process_creation/win_mal_adwind.yml | 6 ++---- .../process_creation/win_silenttrinity_stage_use.yml | 5 +---- 9 files changed, 11 insertions(+), 24 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index e02bb5d05..1695289f7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -31,7 +31,7 @@ detection: --- logsource: product: windows - service: sysmon + category: driver_load detection: selection: EventID: 6 diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index d99e7c471..1763ddd44 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -11,12 +11,9 @@ tags: - attack.t1112 logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: - - 12 - - 13 TargetObject: - '*SYSTEM\\*\services\localNETService' condition: selection diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index d1bb7343c..e07a660ad 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -9,10 +9,8 @@ date: 2019/10/24 modified: 2020/08/24 logsource: product: windows - service: sysmon + category: file_event detection: - event: - EventID: 11 target1: TargetFilename|contains|all: - '\My Documents\PowerShell\' @@ -21,7 +19,7 @@ detection: TargetFilename|contains|all: - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - '\profile.ps1' - condition: event and (target1 or target2) + condition: target1 or target2 falsepositives: - System administrator create Powershell profile manually level: high diff --git a/rules/windows/process_creation/sysmon_cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml index faa2a4de4..d86de0546 100644 --- a/rules/windows/process_creation/sysmon_cmstp_execution.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution.yml @@ -27,7 +27,6 @@ level: high --- logsource: product: windows - service: sysmon category: registry_event detection: # Registry Object Add @@ -40,7 +39,6 @@ detection: --- logsource: product: windows - service: sysmon category: process_access detection: selection4: diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 1662eac37..e0d64f359 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -48,7 +48,7 @@ detection: --- logsource: product: windows - service: sysmon + category: registry_event detection: selection_reg1: EventID: 13 diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index b36bd2f40..18f3e41b3 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -27,9 +27,9 @@ detection: # Sysmon: File Creation (ID 11) logsource: product: windows - service: sysmon + category: file_event detection: selection2: EventID: 11 TargetFilename: - - '*ds7002.lnk*' \ No newline at end of file + - '*ds7002.lnk*' diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index e10dfac4e..76b67dd34 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -26,9 +26,8 @@ detection: --- logsource: product: windows - service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename|contains: '*\lsass.dmp' condition: 1 of them diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 574c7e182..b1276c73d 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -29,19 +29,17 @@ detection: --- logsource: product: windows - service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename: - '*\AppData\Roaming\Oracle\bin\java*.exe' - '*\Retrive*.vbs' --- logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 41e4e6cc1..66fa5a3f6 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -23,8 +23,5 @@ logsource: product: windows --- logsource: + category: image_load product: windows - service: sysmon -detection: - selection: - EventID: 7 From 18e0af986aff68b368839300fc92fe7c9b584af2 Mon Sep 17 00:00:00 2001 From: Steven Date: Fri, 2 Oct 2020 10:54:15 +0200 Subject: [PATCH 007/254] - Fix for sysmon_ads_executable.yml --- rules/windows/create_stream_hash/sysmon_ads_executable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index 5829b5659..5a0995305 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -14,7 +14,7 @@ date: 2018/06/03 modified: 2020/08/26 logsource: product: windows - service: sysmon + category: create_stream_hash definition: 'Requirements: Sysmon config with Imphash logging activated' detection: filter1: From 77cb49d057c06d0f49d49105668bf1391851e255 Mon Sep 17 00:00:00 2001 From: Steven Date: Fri, 2 Oct 2020 11:25:30 +0200 Subject: [PATCH 008/254] Keep empty sysmon directory so tests will still run --- rules/windows/sysmon/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 rules/windows/sysmon/.keep diff --git a/rules/windows/sysmon/.keep b/rules/windows/sysmon/.keep new file mode 100644 index 000000000..e69de29bb From 3b30a91185f10f78666b72576e138e90c8e49f75 Mon Sep 17 00:00:00 2001 From: herrBez Date: Tue, 6 Apr 2021 16:41:46 +0200 Subject: [PATCH 009/254] Fix es-dsl aggregation generation when aggfield is not given Related to #542 and #543 --- tools/sigma/backends/elasticsearch.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index e7bf3ec21..a60c8cc3a 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -509,16 +509,22 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast } else: # if the condition is count() by MyGroupedField > XYZ group_aggname = "{}_count".format(agg.groupfield) + count_agg_name = "single_{}_count".format(agg.groupfield) self.queries[-1]['aggs'] = { group_aggname: { 'terms': { 'field': '%s' % (agg.groupfield) }, 'aggs': { + count_agg_name: { + 'value_count': { + 'field': '%s' % agg.groupfield + } + }, 'limit': { 'bucket_selector': { 'buckets_path': { - 'count': group_aggname + 'count': count_agg_name }, 'script': 'params.count %s %s' % (agg.cond_op, agg.condition) } From 7b679cc1f796093b279bf2a4111340d7ac207d99 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 01:40:31 +0200 Subject: [PATCH 010/254] - Modified rules to use categories instead of hardcoded event IDs - Added file_delete category (Sysmon Event ID 23) to the generic translation file --- .../sysmon_regedit_export_to_ads.yml | 2 +- .../sysmon_sysinternals_sdelete_file_deletion.yml | 0 .../sysmon_startup_folder_file_write.yml | 2 +- .../sysmon_susp_pfx_file_creation.yml | 2 +- rules/windows/image_load/sysmon_susp_image_load.yml | 1 + .../sysmon_susp_system_drawing_load.yml | 2 +- .../sysmon_powershell_execution_pipe.yml | 2 +- .../sysmon_psexec_pipes_artifacts.yml | 4 +--- .../sysmon_new_application_appcompat.yml | 2 +- .../sysmon_removal_com_hijacking_registry_key.yml | 2 +- tools/config/generic/sysmon.yml | 8 ++++++++ 11 files changed, 17 insertions(+), 10 deletions(-) rename rules/windows/{sysmon => create_stream_hash}/sysmon_regedit_export_to_ads.yml (95%) rename rules/windows/{sysmon => file_delete}/sysmon_sysinternals_sdelete_file_deletion.yml (100%) rename rules/windows/{sysmon => file_event}/sysmon_startup_folder_file_write.yml (95%) rename rules/windows/{sysmon => file_event}/sysmon_susp_pfx_file_creation.yml (95%) rename rules/windows/{sysmon => image_load}/sysmon_susp_system_drawing_load.yml (95%) rename rules/windows/{sysmon => pipe_created}/sysmon_powershell_execution_pipe.yml (95%) rename rules/windows/{sysmon => pipe_created}/sysmon_psexec_pipes_artifacts.yml (93%) rename rules/windows/{sysmon => registry_event}/sysmon_new_application_appcompat.yml (95%) rename rules/windows/{sysmon => registry_event}/sysmon_removal_com_hijacking_registry_key.yml (96%) diff --git a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml similarity index 95% rename from rules/windows/sysmon/sysmon_regedit_export_to_ads.yml rename to rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml index bfd3bb138..5283d5017 100644 --- a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -13,9 +13,9 @@ date: 2020/10/07 logsource: product: windows service: sysmon + category: create_stream_hash detection: selection: - EventID: 15 Image|endswith: '\regedit.exe' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml similarity index 100% rename from rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml rename to rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml diff --git a/rules/windows/sysmon/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml similarity index 95% rename from rules/windows/sysmon/sysmon_startup_folder_file_write.yml rename to rules/windows/file_event/sysmon_startup_folder_file_write.yml index cd710e2ec..f6f4c6278 100644 --- a/rules/windows/sysmon/sysmon_startup_folder_file_write.yml +++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml @@ -13,9 +13,9 @@ references: logsource: product: windows service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml rename to rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index d6cca64d8..5c968fdf6 100644 --- a/rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -13,9 +13,9 @@ references: logsource: product: windows service: sysmon + category: file_event detection: selection: - EventID: 11 TargetFilename|endswith: '.pfx' condition: selection falsepositives: diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 5bf530559..2cc818ad7 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -14,6 +14,7 @@ tags: logsource: category: image_load product: windows + service: sysmon detection: selection: Image|endswith: diff --git a/rules/windows/sysmon/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_system_drawing_load.yml rename to rules/windows/image_load/sysmon_susp_system_drawing_load.yml index 22f216a6a..771952fe7 100644 --- a/rules/windows/sysmon/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -12,7 +12,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html logsource: product: windows - service: image_load + category: image_load detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml similarity index 95% rename from rules/windows/sysmon/sysmon_powershell_execution_pipe.yml rename to rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml index bd1ea4281..fdff493bf 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml @@ -12,9 +12,9 @@ references: logsource: product: windows service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|startswith: '\PSHost' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml similarity index 93% rename from rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml rename to rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index 8ac9f2e3a..6b8fd466a 100644 --- a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -12,12 +12,10 @@ tags: logsource: product: windows service: sysmon + category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: - EventID: - - 17 - - 18 PipeName|startswith: - 'psexec' - 'paexec' diff --git a/rules/windows/sysmon/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml similarity index 95% rename from rules/windows/sysmon/sysmon_new_application_appcompat.yml rename to rules/windows/registry_event/sysmon_new_application_appcompat.yml index b390fec1b..6ff348205 100644 --- a/rules/windows/sysmon/sysmon_new_application_appcompat.yml +++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml @@ -13,9 +13,9 @@ references: logsource: product: windows service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml similarity index 96% rename from rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml rename to rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml index 0e5846220..d9238c560 100644 --- a/rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -16,9 +16,9 @@ references: logsource: product: windows service: sysmon + category: registry_event detection: selection: - EventID: 12 EventType: 'DeleteKey' TargetObject|endswith: '\shell\open\command' condition: selection diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index cd9436f45..e9d81e1fd 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -118,6 +118,14 @@ logsources: product: windows conditions: EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 rewrite: product: windows service: sysmon \ No newline at end of file From d263b937b4c361bb9fbf49ad971e8962cc613644 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:02:25 +0200 Subject: [PATCH 011/254] Clean-up service: sysmon as it will be replaced by filling the category --- .../builtin/win_invoke_obfuscation_clip+_services.yml | 5 +---- .../builtin/win_invoke_obfuscation_stdin+_services.yml | 5 +---- .../builtin/win_invoke_obfuscation_var+_services.yml | 7 ++----- .../win_invoke_obfuscation_via_compress_services.yml | 5 +---- .../builtin/win_invoke_obfuscation_via_rundll_services.yml | 5 +---- .../builtin/win_invoke_obfuscation_via_stdin_services.yml | 5 +---- .../win_invoke_obfuscation_via_use_clip_services.yml | 5 +---- .../win_invoke_obfuscation_via_use_mhsta_services.yml | 5 +---- .../win_invoke_obfuscation_via_use_rundll32_services.yml | 5 +---- .../builtin/win_invoke_obfuscation_via_var++_services.yml | 5 +---- rules/windows/builtin/win_mal_creddumper.yml | 5 +---- ...eter_or_cobaltstrike_getsystem_service_installation.yml | 5 +---- rules/windows/builtin/win_net_ntlm_downgrade.yml | 3 +-- rules/windows/builtin/win_tap_driver_installation.yml | 5 +---- .../create_stream_hash/sysmon_regedit_export_to_ads.yml | 1 - .../sysmon_sysinternals_sdelete_file_deletion.yml | 3 +-- .../file_event/sysmon_startup_folder_file_write.yml | 1 - rules/windows/file_event/sysmon_susp_pfx_file_creation.yml | 1 - rules/windows/image_load/sysmon_susp_image_load.yml | 1 - rules/windows/malware/win_mal_blue_mockingbird.yml | 3 +-- rules/windows/malware/win_mal_flowcloud.yml | 2 +- rules/windows/malware/win_mal_octopus_scanner.yml | 2 +- rules/windows/malware/win_mal_ursnif.yml | 3 +-- .../pipe_created/sysmon_powershell_execution_pipe.yml | 1 - .../windows/pipe_created/sysmon_psexec_pipes_artifacts.yml | 1 - rules/windows/powershell/powershell_code_injection.yml | 4 +--- .../registry_event/sysmon_new_application_appcompat.yml | 1 - .../sysmon_removal_com_hijacking_registry_key.yml | 1 - 28 files changed, 21 insertions(+), 74 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 95d562295..0755a4293 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index ae5bf974b..aa415217e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index cd893f908..87b1573bc 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -29,12 +29,9 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- - logsource: +logsource: product: windows service: security detection: diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index e15561a51..8ccaab0d2 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 3bad01d92..f89920462 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 9790bb96b..e52b45df7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 28e5e44fc..ec7ce717c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml index 3df3229c0..b2a53ed0d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 19c236c76..8418d6250 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index 0504ec1d4..e76f583c7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -29,10 +29,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index a9a49ce1d..621af8a5a 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -53,10 +53,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 222cec980..960858a80 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -51,10 +51,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 2883f3df2..c8c2a4307 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -20,10 +20,9 @@ level: critical --- logsource: product: windows - service: sysmon + category: registry_event detection: selection1: - EventID: 13 TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index 42d05509b..ea8573b1c 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -25,10 +25,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml index 5283d5017..34652dad4 100644 --- a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -12,7 +12,6 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020/10/07 logsource: product: windows - service: sysmon category: create_stream_hash detection: selection: diff --git a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml index 0f1cfbf58..f376c51db 100644 --- a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -12,10 +12,9 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html logsource: product: windows - service: sysmon + category: file_delete detection: selection: - EventID: 23 TargetFilename|endswith: - '.AAA' - '.ZZZ' diff --git a/rules/windows/file_event/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml index f6f4c6278..d20ad26ed 100644 --- a/rules/windows/file_event/sysmon_startup_folder_file_write.yml +++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml @@ -12,7 +12,6 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html logsource: product: windows - service: sysmon category: file_event detection: selection: diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index 5c968fdf6..e9e962736 100644 --- a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -12,7 +12,6 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html logsource: product: windows - service: sysmon category: file_event detection: selection: diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 2cc818ad7..5bf530559 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -14,7 +14,6 @@ tags: logsource: category: image_load product: windows - service: sysmon detection: selection: Image|endswith: diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index c40f28d76..0752d9584 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -37,9 +37,8 @@ detection: --- logsource: product: windows - service: sysmon + category: registry_event detection: mod_reg: - EventID: 13 TargetObject|endswith: - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index d033b4b84..95a72af54 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -11,7 +11,7 @@ tags: date: 2020/06/09 logsource: product: windows - service: sysmon + category: registry_event detection: selection: EventID: diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 0c710eae5..e7db87a69 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -12,9 +12,9 @@ date: 2020/06/09 logsource: product: windows service: sysmon + category: file_event detection: filecreate: - EventID: 11 selection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Cache134.dat' diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index a0c51c74a..ca934073f 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -12,10 +12,9 @@ author: megan201296 date: 2019/02/13 logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' condition: selection falsepositives: diff --git a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml index fdff493bf..0546b2cdc 100644 --- a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml @@ -11,7 +11,6 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html logsource: product: windows - service: sysmon category: pipe_created detection: selection: diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index 6b8fd466a..258a0a1d9 100644 --- a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -11,7 +11,6 @@ tags: - attack.t1021.002 logsource: product: windows - service: sysmon category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml index 47d220c50..829a9dba8 100644 --- a/rules/windows/powershell/powershell_code_injection.yml +++ b/rules/windows/powershell/powershell_code_injection.yml @@ -11,12 +11,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: sysmon + category: create_remote_thread definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' detection: selection: - EventID: - - 8 SourceImage|endswith: '\powershell.exe' condition: selection falsepositives: diff --git a/rules/windows/registry_event/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml index 6ff348205..298f2660f 100644 --- a/rules/windows/registry_event/sysmon_new_application_appcompat.yml +++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml @@ -12,7 +12,6 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html logsource: product: windows - service: sysmon category: registry_event detection: selection: diff --git a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml index d9238c560..d834dcb1b 100644 --- a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -15,7 +15,6 @@ references: - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code logsource: product: windows - service: sysmon category: registry_event detection: selection: From ecbd730dad582fdf60a2cbc07e5e83a5324251c2 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:07:43 +0200 Subject: [PATCH 012/254] Fix syntax errors in some rules --- .../win_invoke_obfuscation_var+_services.yml | 4 ++-- .../process_creation/cmstp_execution.yml | 1 - .../sysmon_cmstp_execution.yml | 23 ------------------- .../win_apt_unidentified_nov_18.yml | 5 ---- 4 files changed, 2 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 87b1573bc..fd9da25ab 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -34,6 +34,6 @@ logsource: logsource: product: windows service: security - detection: +detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml index 71baa14b2..330c43bde 100644 --- a/rules/windows/process_creation/cmstp_execution.yml +++ b/rules/windows/process_creation/cmstp_execution.yml @@ -21,7 +21,6 @@ fields: falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high -<<<<<<< HEAD:rules/windows/process_creation/sysmon_cmstp_execution.yml --- logsource: product: windows diff --git a/rules/windows/process_creation/sysmon_cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml index 71baa14b2..7a27dc2f2 100644 --- a/rules/windows/process_creation/sysmon_cmstp_execution.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution.yml @@ -21,29 +21,6 @@ fields: falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high -<<<<<<< HEAD:rules/windows/process_creation/sysmon_cmstp_execution.yml ---- -logsource: - product: windows - category: registry_event -detection: - # Registry Object Add - selection2: - TargetObject: '*\cmmgr32.exe*' - EventType: 'CreateKey' - # Registry Object Value Set - selection3: - TargetObject: '*\cmmgr32.exe*' ---- -logsource: - product: windows - category: process_access -detection: - selection4: - Calltrace: '*cmlua.dll*' ---- -======= ->>>>>>> ce0111aa6a210133e6ac4f3ffb558dd22003fc15:rules/windows/process_creation/cmstp_execution.yml logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 7491c3f6d..bf68521d0 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -32,10 +32,5 @@ logsource: detection: selection2: EventID: 11 -<<<<<<< HEAD - TargetFilename: - - '*ds7002.lnk*' -======= TargetFilename|contains: - 'ds7002.lnk' ->>>>>>> ce0111aa6a210133e6ac4f3ffb558dd22003fc15 From 70b106ef529fd0e0d2ee8d48111342e97f259adb Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:11:13 +0200 Subject: [PATCH 013/254] Fix syntax error --- .../process_creation/cmstp_execution.yml | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml index 330c43bde..7a27dc2f2 100644 --- a/rules/windows/process_creation/cmstp_execution.yml +++ b/rules/windows/process_creation/cmstp_execution.yml @@ -21,28 +21,6 @@ fields: falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high ---- -logsource: - product: windows - category: registry_event -detection: - # Registry Object Add - selection2: - TargetObject: '*\cmmgr32.exe*' - EventType: 'CreateKey' - # Registry Object Value Set - selection3: - TargetObject: '*\cmmgr32.exe*' ---- -logsource: - product: windows - category: process_access -detection: - selection4: - Calltrace: '*cmlua.dll*' ---- -======= ->>>>>>> ce0111aa6a210133e6ac4f3ffb558dd22003fc15:rules/windows/process_creation/cmstp_execution.yml logsource: category: process_creation product: windows From f57e1a2231d45822014073880c28884dcb251d43 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:17:36 +0200 Subject: [PATCH 014/254] Delete .keep file --- rules/windows/sysmon/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 rules/windows/sysmon/.keep diff --git a/rules/windows/sysmon/.keep b/rules/windows/sysmon/.keep deleted file mode 100644 index e69de29bb..000000000 From a9f2a80b8c559e64576ec523137970a9c43c1c77 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:23:08 +0200 Subject: [PATCH 015/254] - Remove duplicate rule - Fix linux rule (categories -> category) --- rules/linux/lnx_system_info_discovery.yml | 4 +-- .../malware/win_mal_octopus_scanner.yml | 3 +- .../process_creation/cmstp_execution.yml | 31 ------------------- 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100644 rules/windows/process_creation/cmstp_execution.yml diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 43f8f6563..c0742e26f 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -16,7 +16,7 @@ tags: --- logsource: product: linux - categories: process_creation + category: process_creation detection: selection: Image|endswith: @@ -31,7 +31,7 @@ detection: --- logsource: product: linux - categories: auditd + category: auditd detection: selection: type: 'PATH' diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index e7db87a69..0b36c703d 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -11,7 +11,6 @@ author: NVISO date: 2020/06/09 logsource: product: windows - service: sysmon category: file_event detection: filecreate: @@ -22,4 +21,4 @@ detection: condition: filecreate and selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml deleted file mode 100644 index 7a27dc2f2..000000000 --- a/rules/windows/process_creation/cmstp_execution.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: CMSTP Execution Process Creation -id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47 -status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -tags: - - attack.defense_evasion - - attack.execution - - attack.t1191 # an old one - - attack.t1218.003 - - attack.g0069 - - car.2019-04-001 -author: Nik Seetharaman -date: 2018/07/16 -modified: 2020/12/23 -references: - - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ -fields: - - CommandLine - - ParentCommandLine - - Details -falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) -level: high -logsource: - category: process_creation - product: windows -detection: - # CMSTP Spawning Child Process - selection: - ParentImage|endswith: '\cmstp.exe' - condition: selection From cce8d945a07b99d7e1bdc90bc7fa1b696c0b9f12 Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:30:41 +0200 Subject: [PATCH 016/254] Clean rule rules/windows/malware/win_mal_octopus_scanner.yml to use category --- rules/windows/malware/win_mal_octopus_scanner.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 0b36c703d..a76955bea 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -13,12 +13,11 @@ logsource: product: windows category: file_event detection: - filecreate: selection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Cache134.dat' - '\AppData\Local\Microsoft\ExplorerSync.db' - condition: filecreate and selection + condition: selection falsepositives: - Unknown level: high From 8301b9c221cd98435534df663c00cc5af8504e2a Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:41:04 +0200 Subject: [PATCH 017/254] Fix selection vs selection_1 in rule files --- .../builtin/win_invoke_obfuscation_clip+_services.yml | 6 +++--- .../builtin/win_invoke_obfuscation_var+_services.yml | 4 ++-- .../win_invoke_obfuscation_via_compress_services.yml | 6 +++--- .../builtin/win_invoke_obfuscation_via_rundll_services.yml | 4 ++-- ...ml => win_invoke_obfuscation_via_use_mshta_services.yml} | 4 ++-- .../win_invoke_obfuscation_via_use_rundll32_services.yml | 4 ++-- .../builtin/win_invoke_obfuscation_via_var++_services.yml | 6 +++--- rules/windows/builtin/win_mal_creddumper.yml | 4 ++-- rules/windows/builtin/win_tap_driver_installation.yml | 4 ++-- 9 files changed, 21 insertions(+), 21 deletions(-) rename rules/windows/builtin/{win_invoke_obfuscation_via_use_mhsta_services.yml => win_invoke_obfuscation_via_use_mshta_services.yml} (93%) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 0755a4293..a52ce3881 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -36,4 +36,4 @@ logsource: service: security detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index fd9da25ab..0e1bca20f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 8ccaab0d2..17f200b4a 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -16,9 +16,9 @@ falsepositives: - unknown level: medium detection: - selection_1: + selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -36,4 +36,4 @@ logsource: service: security detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index f89920462..4ec340f8d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: medium detection: - selection_1: + selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml similarity index 93% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml rename to rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index b2a53ed0d..59ad9fee2 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 8418d6250..2dcde1d54 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index e76f583c7..42ea9004f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -36,4 +36,4 @@ logsource: service: security detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 621af8a5a..6a71474a8 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -21,7 +21,7 @@ tags: - attack.t1569.002 - attack.s0005 detection: - selection_1: + selection: - ServiceName|contains: - 'fgexec' - 'wceservice' @@ -39,7 +39,7 @@ detection: - 'gsecdump' - 'servpw' - 'pwdump' - condition: selection and selection_1 + condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery level: high diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index ea8573b1c..730d64105 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -12,9 +12,9 @@ falsepositives: - Legitimate OpenVPN TAP insntallation level: medium detection: - selection_1: + selection: ImagePath|contains: 'tap0901' - condition: selection and selection_1 + condition: selection --- logsource: product: windows From 9f5e8a02a4a85502ca7db30241da518a462b06ce Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 02:46:41 +0200 Subject: [PATCH 018/254] Fix parse errors --- .../builtin/win_invoke_obfuscation_stdin+_services.yml | 6 +++--- .../win_invoke_obfuscation_via_use_clip_services.yml | 4 ++-- ...reter_or_cobaltstrike_getsystem_service_installation.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index aa415217e..b11a25f94 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -36,4 +36,4 @@ logsource: service: security detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index ec7ce717c..565d62e2c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection and selection_1 + condition: selection --- logsource: product: windows diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 960858a80..3468eaa55 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -14,7 +14,7 @@ tags: - attack.t1134.001 - attack.t1134.002 detection: - selection_1: + selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - 'cmd' @@ -32,7 +32,7 @@ detection: - 'rundll32' - '.dll,a' - '/p:' - condition: selection and selection_1 + condition: selection fields: - ComputerName - SubjectDomainName From 8703d9f3529ecfe2babe06770fcd239b0e5c2c3e Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 03:07:18 +0200 Subject: [PATCH 019/254] Remove another reference to hardcoded event ID --- rules/windows/process_creation/win_apt_unidentified_nov_18.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index bf68521d0..20e60b324 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -31,6 +31,5 @@ logsource: category: file_event detection: selection2: - EventID: 11 TargetFilename|contains: - 'ds7002.lnk' From a8d8165541058ac1d0deaa5af2ab9dbd83931b4c Mon Sep 17 00:00:00 2001 From: Steven Date: Thu, 15 Apr 2021 09:25:04 +0200 Subject: [PATCH 020/254] Yet another syntax fix --- .../builtin/win_invoke_obfuscation_via_stdin_services.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index e52b45df7..0484fbf5a 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -16,9 +16,9 @@ falsepositives: - Unknown level: high detection: - selection_1: + selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection and selection_1 + condition: selection --- logsource: product: windows From 2ff27aa980746401a25dc0f936a33f174d1de524 Mon Sep 17 00:00:00 2001 From: Cedric Hien Date: Sat, 17 Apr 2021 12:55:13 +0200 Subject: [PATCH 021/254] Fix SyntaxWarning for 'is' on fireeye-helix backend --- tools/sigma/backends/fireeye-helix.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/fireeye-helix.py b/tools/sigma/backends/fireeye-helix.py index edf999a21..fca445da9 100644 --- a/tools/sigma/backends/fireeye-helix.py +++ b/tools/sigma/backends/fireeye-helix.py @@ -125,14 +125,14 @@ class FireEyeHelixBackend(SingleTextQueryBackend): def generateNULLValueNode(self, node): # Don't generate null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.notNullExpression % (node.item) def generateNotNULLValueNode(self, node): # Don't generate not null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.nullExpression % (node.item) From bbdbab700ded0d4484d909244ba3826aeefed9ca Mon Sep 17 00:00:00 2001 From: Cedric Hien Date: Sat, 17 Apr 2021 12:57:30 +0200 Subject: [PATCH 022/254] Fix invalid logsource on lnx_system_info_discovery rule --- rules/linux/lnx_system_info_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 43f8f6563..c0742e26f 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -16,7 +16,7 @@ tags: --- logsource: product: linux - categories: process_creation + category: process_creation detection: selection: Image|endswith: @@ -31,7 +31,7 @@ detection: --- logsource: product: linux - categories: auditd + category: auditd detection: selection: type: 'PATH' From 1d6aec3c2507f8832dd26571955f6de5aaa84238 Mon Sep 17 00:00:00 2001 From: Cedric Hien Date: Mon, 19 Apr 2021 08:20:44 +0200 Subject: [PATCH 023/254] Fix typo on CommandLine --- rules/windows/process_creation/process_creation_dotnet.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index bbc19c20a..1c7b2054c 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Commandline|endswith: + CommandLine|endswith: - '.dll' - '.csproj' Image|endswith: @@ -30,4 +30,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium From 2486a85a1fe15b0ce84349b2260217b5a5aaeda2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Apr 2021 08:15:42 -0400 Subject: [PATCH 024/254] Added MS Threat Docs for 4616 to references --- rules/windows/builtin/win_susp_time_modification.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 01e9a7584..360e1a872 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -6,6 +6,7 @@ author: '@neu5ron' references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 date: 2019/02/05 modified: 2020/01/27 tags: From dfc1218e6a6a945929c1a18bb981a37ca39edf01 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 20 Apr 2021 08:24:38 -0400 Subject: [PATCH 025/254] false positive - added Azure AD Connect --- rules/windows/builtin/win_dcsync.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index 2020946e1..d4406838c 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -34,5 +34,6 @@ detection: condition: selection and not filter1 and not filter2 and not filter3 falsepositives: - Valid DC Sync that is not covered by the filters; please report + - Local Domain Admin account used for Azure AD Connect level: high From dd391cd0b9f15717dfe8530df8d8b9a5f7a6db3e Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 20 Apr 2021 20:05:51 +0545 Subject: [PATCH 026/254] Added rule for Lazarus activity of Apr 2021 --- .../win_apt_lazarus_activity_apr21.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml new file mode 100644 index 000000000..47ee4dc41 --- /dev/null +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -0,0 +1,32 @@ +title: Lazarus Activity +id: 4a12fa47-c735-4032-a214-6fab5b120670 +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity +status: experimental +references: + - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ +tags: + - attack.g0032 +author: Bhabesh Raj +date: 2021/04/20 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'mshta' + - '.zip' + selection2: + ParentImage: + - 'C:\Windows\System32\wbem\wmiprvse.exe' + Image: + - 'C:\Windows\System32\mshta.exe' + selection3: + ParentImage: + - 'C:\Users\Public\*' + Image: + - 'C:\Windows\System32\rundll32.exe' + condition: 1 of them +falsepositives: + - Should not be any false positives +level: critical \ No newline at end of file From 678ce5d528af31c86e4aceb66873ad20a67b615e Mon Sep 17 00:00:00 2001 From: Scoubi Date: Tue, 20 Apr 2021 20:34:19 -0400 Subject: [PATCH 027/254] Create win_Outlook_C2_Macro_Creation.yml Not 100% if this is the best place to put it. --- .../other/win_Outlook_C2_Macro_Creation.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/other/win_Outlook_C2_Macro_Creation.yml diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml new file mode 100644 index 000000000..eec322406 --- /dev/null +++ b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml @@ -0,0 +1,24 @@ +title: BEC - Outlook C2 Macro Creation +id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +status: experimental +description: Detects the creation of a macro file for Outlook. Goes with win_Outlook_C2_Registry_Key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events (Registry & File Creation happens at the same time. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM' + condition: selection +falsepositives: + - User genuinly creates a VB Macro for their email +level: medium From fadb8891164cb2b6bf5230379eda1b468a67525e Mon Sep 17 00:00:00 2001 From: Scoubi Date: Tue, 20 Apr 2021 20:38:20 -0400 Subject: [PATCH 028/254] Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) --- .../other/win_Outlook_C2_Macro_Creation.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/other/win_Outlook_C2_Macro_Creation.yml diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml new file mode 100644 index 000000000..f2010edaf --- /dev/null +++ b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml @@ -0,0 +1,25 @@ +title: BEC - Outlook C2 Registry Key +id: e3b50fa5-3c3f-444e-937b-0a99d33731cd +status: experimental +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_Outlook_C2_Macro_Creation.yml and is particularly interesting if both events occur near to each other. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - attack.command_and_control + -attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: registry_event + product: windows +detection: + selection_registry: + TargetObject: + - 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' + condition: selection_registry +falsepositives: + - Unlikely +level: medium From 0b7ed7e690a1e124bbd9389d37484125ef6e13e8 Mon Sep 17 00:00:00 2001 From: Scoubi Date: Tue, 20 Apr 2021 20:50:20 -0400 Subject: [PATCH 029/254] Add a space There was a missing space in `-attack` changed for `- attack` --- rules/windows/other/win_Outlook_C2_Macro_Creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml index f2010edaf..0bf6930a0 100644 --- a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml +++ b/rules/windows/other/win_Outlook_C2_Macro_Creation.yml @@ -8,7 +8,7 @@ author: '@ScoubiMtl' tags: - attack.persistence - attack.command_and_control - -attack.t1137 + - attack.t1137 - attack.t1008 - attack.t1546 date: 2021/04/05 From 23791664eb02d226f13f258a54437ca7b79336f7 Mon Sep 17 00:00:00 2001 From: Scoubi Date: Wed, 21 Apr 2021 08:45:15 -0400 Subject: [PATCH 030/254] Rename win_Outlook_C2_Macro_Creation.yml to win_Outlook_C2_Registry_Key.yml Gave the wrong name to the file, this is the correct one. --- ...look_C2_Macro_Creation.yml => win_Outlook_C2_Registry_Key.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/other/{win_Outlook_C2_Macro_Creation.yml => win_Outlook_C2_Registry_Key.yml} (100%) diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/other/win_Outlook_C2_Registry_Key.yml similarity index 100% rename from rules/windows/other/win_Outlook_C2_Macro_Creation.yml rename to rules/windows/other/win_Outlook_C2_Registry_Key.yml From b447e6338f039f4223da039d71ccd05004d988c5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 09:01:14 +0200 Subject: [PATCH 031/254] rule: Export-PfxCertificate --- ...shell_suspicious_export_pfxcertificate.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml new file mode 100644 index 000000000..0f3ad5705 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -0,0 +1,25 @@ +title: Malicious PowerShell Commandlets +id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c +status: experimental +description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines +references: + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a + - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate +tags: + - attack.credential_access + - attack.t1552.004 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - "Export-PfxCertificate" + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high From 13347df263b569eb0b4a74ee164f6f60b4bb6c88 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 09:50:13 +0200 Subject: [PATCH 032/254] fix: splunk for windows config errors --- tools/config/splunk-windows.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 7b02728d3..e8c44ec5c 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -8,27 +8,27 @@ logsources: product: windows service: application conditions: - source: 'WinEventLog:Application' + source: 'Application' windows-security: product: windows service: security conditions: - source: 'WinEventLog:Security' + source: 'Security' windows-system: product: windows service: system conditions: - source: 'WinEventLog:System' + source: 'System' windows-sysmon: product: windows service: sysmon conditions: - source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + source: 'Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: - source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + source: 'Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic @@ -38,12 +38,12 @@ logsources: product: windows service: taskscheduler conditions: - source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + source: 'Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi conditions: - source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + source: 'Microsoft-Windows-WMI-Activity/Operational' windows-dns-server: product: windows service: dns-server From d5e88d369c98f66c380d4c091418cdb58c0c101f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 09:51:31 +0200 Subject: [PATCH 033/254] fix: fixed rule title --- .../powershell/powershell_suspicious_export_pfxcertificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 0f3ad5705..ac4077fdb 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -1,4 +1,4 @@ -title: Malicious PowerShell Commandlets +title: Suspicious Export-PfxCertificate id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c status: experimental description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines From 6d1b9f36e808d8e1f422e466cef6cd930e68199b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 10:31:07 +0200 Subject: [PATCH 034/254] feat: thor config - process all *.log files --- tools/config/thor.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index eb9ee0fad..14defa4dd 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -102,6 +102,10 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" + linux-log: + product: linux + sources: + - "File:*.log" logfiles: category: logfile sources: From 95fa99b4a35896274f888dcfdceec241bc875987 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 23 Apr 2021 12:00:48 +0200 Subject: [PATCH 035/254] search generic log files for product: linux --- tools/config/thor.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index eb9ee0fad..14defa4dd 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -102,6 +102,10 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" + linux-log: + product: linux + sources: + - "File:*.log" logfiles: category: logfile sources: From 6256261d0ee34e9e4cf94b6b2955da032f505871 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 12:49:16 +0200 Subject: [PATCH 036/254] fix: FPs with Certutil and McAfee Chromium Container --- .../win_susp_certutil_command.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 8137eafe6..26cc7c489 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -5,7 +5,7 @@ description: Detects a suspicious Microsoft certutil execution with sub commands the built-in certutil utility author: Florian Roth, juju4, keepwatch date: 2019/01/16 -modified: 2020/11/28 +modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 @@ -20,11 +20,16 @@ logsource: detection: parameters: CommandLine|contains: - - 'decode ' - - 'decodehex ' - - 'urlcache ' - - 'verifyctl ' - - 'encode ' + - ' -decode ' + - ' -decodehex ' + - ' -urlcache ' + - ' -verifyctl ' + - ' -encode ' + - ' /decode ' + - ' /decodehex ' + - ' /urlcache ' + - ' /verifyctl ' + - ' /encode ' certutil: Image|endswith: '\certutil.exe' CommandLine|contains: From ce03ca9485de15b22d5089f9f6fad6d548678e97 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 14:54:32 +0200 Subject: [PATCH 037/254] fix: Jitter keyword prone to FPs --- .../powershell/powershell_nishang_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 52573917f..43c845e85 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -78,7 +78,7 @@ detection: - DataToEncode - LoggedKeys - OUT-DNSTXT - - Jitter + # - Jitter # Prone to FPs - ExfilOption - DumpCerts - DumpCreds From 85582c540e712eaaf7744408d6db3373fe87afe4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 14:55:04 +0200 Subject: [PATCH 038/254] docs: changed modification date --- .../powershell/powershell_nishang_malicious_commandlets.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 43c845e85..21547f4dd 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 +modified: 2021/04/23 references: - https://github.com/samratashok/nishang tags: From 1333a95c5150467c35cf4ccd400c63739d13cfa2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 16:44:53 +0200 Subject: [PATCH 039/254] rule: get-process lsass --- ...powershell_suspicious_getprocess_lsass.yml | 24 +++++++++++++++++++ .../win_susp_powershell_getprocess_lsass.yml | 20 ++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml new file mode 100644 index 000000000..b89b2b086 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -0,0 +1,24 @@ +title: PowerShell Get-Process LSASS in ScriptBlock +id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb +status: experimental +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +tags: + - attack.credential_access + - attack.t1552.004 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - 'Get-Process lsass' + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml new file mode 100644 index 000000000..1fd27ead9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -0,0 +1,20 @@ +title: PowerShell Get-Process LSASS +id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +status: experimental +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +author: Florian Roth +date: 2021/04/23 +tags: + - attack.credential_access + - attack.t1552.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Get-Process lsass' + condition: selection +level: critical From 6f12a1b099c8a0466349515da92d740e39af4144 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 16:45:52 +0200 Subject: [PATCH 040/254] docs: FPs and changed level --- .../process_creation/win_susp_powershell_getprocess_lsass.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml index 1fd27ead9..bffd87a36 100644 --- a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -17,4 +17,6 @@ detection: CommandLine|contains: - 'Get-Process lsass' condition: selection -level: critical +falsepositives: + - Unknown +level: high From a29ac79a3f40b10bcbd759baaf4bafc043fb9a74 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 16:46:04 +0200 Subject: [PATCH 041/254] refactor: extended comsvcs.dll MiniDump rule --- .../process_creation/win_process_dump_rundll32_comsvcs.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 7e1eb8cb6..d75fdc85a 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -4,9 +4,10 @@ description: Detects a process memory dump performed via ordinal function 24 in status: experimental references: - https://twitter.com/shantanukhande/status/1229348874298388484 + - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 author: Florian Roth date: 2020/02/18 -modified: 2020/09/06 +modified: 2021/04/23 tags: - attack.defense_evasion - attack.t1036 @@ -22,6 +23,7 @@ detection: CommandLine|contains: - 'comsvcs.dll,#24' - 'comsvcs.dll,MiniDump' + - 'comsvcs.dll MiniDump' condition: selection falsepositives: - Unlikely, because no one should dump the process memory in that way From f2fa8dd9565721518e353809330b235725f2b1eb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 17:16:09 +0200 Subject: [PATCH 042/254] rules: CobaltStrike named pipes --- .../pipe_created/sysmon_mal_cobaltstrike.yml | 29 +++++++++++++++++++ .../pipe_created/sysmon_mal_namedpipes.yml | 3 +- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml new file mode 100644 index 000000000..958bb676a --- /dev/null +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -0,0 +1,29 @@ +title: CobaltStrike Named Pipe +id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 +status: experimental +description: Detects the creation of a named pipe as used by CobaltStrike +references: + - https://twitter.com/d4rksystem/status/1357010969264873472 + - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ + - https://github.com/Neo23x0/sigma/issues/253 +date: 2021/04/23 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17)' +detection: + selection_start: + PipeName|startswith: '\MSSE-' + selection_end: + PipeName|endswith: '-server' + selection_others: + PipeName|startswith: '\msagent_' + condition: selection_start and selection_end +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index e1c1e8c87..badc331b7 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -26,9 +26,10 @@ detection: - '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input - '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A - '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 - - '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - '\gruntsvc' # Covenant default named pipe # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ condition: selection tags: - attack.defense_evasion From d766c128883d3faa056416e312147322f06d1987 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Apr 2021 17:47:09 +0200 Subject: [PATCH 043/254] feat: generic categories - thor config --- tools/config/thor.yml | 120 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 14defa4dd..4c4ded456 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -25,6 +25,126 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event: + category: registry_event + product: windows + conditions: + EventID: + - 12 + - 13 + - 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created: + category: pipe_created + product: windows + conditions: + EventID: + - 17 + - 18 + rewrite: + product: windows + service: sysmon + wmi_event: + category: wmi_event + product: windows + conditions: + EventID: + - 19 + - 20 + - 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon # target system configurations windows-application: product: windows From c580db166cae2e07312a258eb2b73817c4970d95 Mon Sep 17 00:00:00 2001 From: Cedric Hien Date: Sun, 25 Apr 2021 15:50:44 +0200 Subject: [PATCH 044/254] Fix typo on CommandLine field --- rules/windows/process_creation/process_creation_msdeploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index cf35510fa..6fabd7686 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' @@ -31,4 +31,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium From 748005fc14dda813b77836ab178465ff934acd60 Mon Sep 17 00:00:00 2001 From: Cedric Hien Date: Sun, 25 Apr 2021 15:52:59 +0200 Subject: [PATCH 045/254] Fix typo on CommandLine field --- rules/windows/process_creation/win_manage-bde_lolbas.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml index 3dcdeac85..06216b629 100644 --- a/rules/windows/process_creation/win_manage-bde_lolbas.yml +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Commandline|contains|all: + CommandLine|contains|all: - 'cscript' - 'manage-bde.wsf' condition: selection From 08234c46200f82335efe6314de73680bba953fea Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 25 Apr 2021 21:52:29 +0200 Subject: [PATCH 046/254] Revert "fix: splunk for windows config errors" This reverts commit 13347df263b569eb0b4a74ee164f6f60b4bb6c88. --- tools/config/splunk-windows.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index e8c44ec5c..7b02728d3 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -8,27 +8,27 @@ logsources: product: windows service: application conditions: - source: 'Application' + source: 'WinEventLog:Application' windows-security: product: windows service: security conditions: - source: 'Security' + source: 'WinEventLog:Security' windows-system: product: windows service: system conditions: - source: 'System' + source: 'WinEventLog:System' windows-sysmon: product: windows service: sysmon conditions: - source: 'Microsoft-Windows-Sysmon/Operational' + source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: - source: 'Microsoft-Windows-PowerShell/Operational' + source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic @@ -38,12 +38,12 @@ logsources: product: windows service: taskscheduler conditions: - source: 'Microsoft-Windows-TaskScheduler/Operational' + source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi conditions: - source: 'Microsoft-Windows-WMI-Activity/Operational' + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dns-server: product: windows service: dns-server From 66d0f910dddbf1b7c041cdaf14401840fa9b78f1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 25 Apr 2021 22:35:23 +0200 Subject: [PATCH 047/254] feat: windows native events - registry_event --- tools/config/generic/windows-audit.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 83b143c96..51624a3a6 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -1,4 +1,4 @@ -title: Conversion of generic process_creation rules into Security/4688 +title: Conversion for Windows Native Auditing Events order: 10 logsources: process_creation: @@ -9,6 +9,15 @@ logsources: rewrite: product: windows service: security + registry_event: + category: registry_event + product: windows + conditions: + EventID: 4657 + rewrite: + product: windows + service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + EventType: OperationType From d24f0b89882fdec111104f29b27fdffa8f771541 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 26 Apr 2021 09:31:36 +0200 Subject: [PATCH 048/254] feat: generic registry events compatible with native audit logging --- rules/windows/process_creation/win_apt_chafer_mar18.yml | 5 ----- rules/windows/registry_event/sysmon_comhijack_sdclt.yml | 2 -- rules/windows/registry_event/sysmon_cve-2020-1048.yml | 4 ---- rules/windows/registry_event/sysmon_reg_office_security.yml | 4 ---- .../windows/registry_event/sysmon_reg_silentprocessexit.yml | 3 --- .../registry_event/sysmon_reg_silentprocessexit_lsass.yml | 3 --- rules/windows/registry_event/sysmon_runonce_persistence.yml | 1 - .../registry_event/sysmon_stickykey_like_backdoor.yml | 1 - rules/windows/registry_event/sysmon_win_reg_persistence.yml | 1 - .../registry_event/sysmon_win_reg_telemetry_persistence.yml | 1 - tools/config/generic/windows-audit.yml | 5 ++++- 11 files changed, 4 insertions(+), 26 deletions(-) diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index c167ff6ed..a64f96298 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -54,11 +54,6 @@ detection: TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' - EventType: 'SetValue' - selection_reg2: - TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential' - EventType: 'SetValue' - Details: 'DWORD (0x00000001)' --- logsource: category: process_creation diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml index bf76b00d8..dedf925a5 100644 --- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml @@ -18,8 +18,6 @@ detection: selection: TargetObject: - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - EventType: - - SetValue condition: selection falsepositives: - unknown diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml index e5e17ef11..8a02f889e 100644 --- a/rules/windows/registry_event/sysmon_cve-2020-1048.yml +++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml @@ -18,10 +18,6 @@ logsource: detection: selection: TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' - EventType: - - SetValue - - DeleteValue - - CreateValue Details|contains: - '.dll' - '.exe' diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index fb3975c6a..27e6957c5 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -19,10 +19,6 @@ detection: - '\Security\Trusted Documents\TrustRecords' - '\Security\AccessVBOM' - '\Security\VBAWarnings' - EventType: - - SetValue - - DeleteValue - - CreateValue condition: sec_settings falsepositives: - Valid Macros and/or internal documents diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index fe6b5f5a5..c8404f2cc 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -16,9 +16,6 @@ detection: selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' - EventType: - - SetValue - - CreateValue condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml index bafd3cbd2..66a5dc12a 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -15,9 +15,6 @@ logsource: detection: selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' - EventType: - - SetValue - - CreateValue condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml index aff6c60e7..6e74aedb5 100644 --- a/rules/windows/registry_event/sysmon_runonce_persistence.yml +++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml @@ -15,7 +15,6 @@ logsource: category: registry_event detection: selection: - EventType: 'SetValue' TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' TargetObject|endswith: '\StubPath' condition: selection diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 667c8448a..7f23a3298 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -31,7 +31,6 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - EventType: 'SetValue' condition: 1 of them --- logsource: diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index dea029f4f..883c5863a 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -13,7 +13,6 @@ detection: selection_reg1: TargetObject|contains: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - EventType: SetValue selection_reg2: - TargetObject|contains|all: - '\Image File Execution Options\' diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 67963ff93..6cdb6cb24 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -19,7 +19,6 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' Details|contains: '.exe' - EventType: 'SetValue' filter: Details|contains: - '\system32\CompatTelRunner.exe' diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 51624a3a6..63080759e 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -14,10 +14,13 @@ logsources: product: windows conditions: EventID: 4657 + OperationType: + - 'New registry value created' + - 'Existing registry value modified' rewrite: product: windows service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName - EventType: OperationType + Details: NewValue From 8efa10465e2d48a155a9dda8f5e1de94e91d6164 Mon Sep 17 00:00:00 2001 From: Ian Thieves Date: Mon, 26 Apr 2021 11:25:16 -0700 Subject: [PATCH 049/254] Update win_scm_database_privileged_operation.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4" --- .../windows/builtin/win_scm_database_privileged_operation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9c9df1cb1..e5e6a0206 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -15,8 +15,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical From 65294d97c4aacc65bd5383b067634f19b93a2334 Mon Sep 17 00:00:00 2001 From: Ian Thieves Date: Mon, 26 Apr 2021 11:28:16 -0700 Subject: [PATCH 050/254] Update win_scm_database_handle_failure.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4" --- rules/windows/builtin/win_scm_database_handle_failure.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 865cbc5b1..7efc27dbb 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -17,8 +17,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' Keywords: "Audit Failure" + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical From f75ad989030127dd1e106c7226c0b45af2a1973f Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 27 Apr 2021 22:55:58 +1000 Subject: [PATCH 051/254] Create win_lateral_movement EID 4674 with the proposed attributes is very rare in prod environment. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm --- rules/windows/other/win_lateral_movement | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/other/win_lateral_movement diff --git a/rules/windows/other/win_lateral_movement b/rules/windows/other/win_lateral_movement new file mode 100644 index 000000000..f1c35b58a --- /dev/null +++ b/rules/windows/other/win_lateral_movement @@ -0,0 +1,25 @@ +title: Lateral Movement Indicator +id: 29d31aee-30f4-4006-85a9-a4a02d65306c +status: stable +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. +author: Janantha Marasinghe +date: 2021/04/27 +tags: + - attack.lateral_movement + - attack.execution + - attack.t1021 + - attack.t1059 +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4674 + ObjectType: 'Security' + ObjectType: 'File' + ObjectName: '\Device\ConDrv' + condition: selection +falsepositives: + - Penetration tests where lateral movement has occured. This event will be created on the target host. +level: high From 793504dd6bd315fbc416a54b44a63ec304e452aa Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 27 Apr 2021 22:59:52 +1000 Subject: [PATCH 052/254] Rename win_lateral_movement to win_lateral_movement.yml --- .../other/{win_lateral_movement => win_lateral_movement.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/other/{win_lateral_movement => win_lateral_movement.yml} (100%) diff --git a/rules/windows/other/win_lateral_movement b/rules/windows/other/win_lateral_movement.yml similarity index 100% rename from rules/windows/other/win_lateral_movement rename to rules/windows/other/win_lateral_movement.yml From 59d23535ce6ac2af6df09b7aa29c11b94d5cc805 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 27 Apr 2021 23:03:03 +1000 Subject: [PATCH 053/254] Update win_lateral_movement.yml --- rules/windows/other/win_lateral_movement.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_lateral_movement.yml b/rules/windows/other/win_lateral_movement.yml index f1c35b58a..90f0bd727 100644 --- a/rules/windows/other/win_lateral_movement.yml +++ b/rules/windows/other/win_lateral_movement.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 4674 - ObjectType: 'Security' + ObjectServer: 'Security' ObjectType: 'File' ObjectName: '\Device\ConDrv' condition: selection From de2cedf2136511b4aff7bde5f521c5e772d1a206 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Wed, 28 Apr 2021 11:45:19 +0200 Subject: [PATCH 054/254] fix: Distinguish Windows and Linux logfiles by path separator A previous commit added a log source detailing *.log files with product: linux. This caused linux specific Sigma rules to apply to all *.log file, including those on Windows. To distinguish these cases, expand the file path pattern to include the typical start for unix / windows paths ( / vs [A-Z]:\ ) --- tools/config/thor.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 4c4ded456..e1e634b97 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -222,11 +222,13 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" - linux-log: + linux-logfile: product: linux - sources: - - "File:*.log" - logfiles: category: logfile sources: - - "File:*.log" + - "File:/*.log" + windows-logfile: + product: windows + category: logfile + sources: + - "File:?:\\*.log" From 47504fbd56f14ca66709d67d97f4d253dcca735c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Apr 2021 11:46:49 +0200 Subject: [PATCH 055/254] fix: shellshock expression --- rules/linux/lnx_shellshock.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 59a534cd3..881621354 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -4,14 +4,16 @@ status: experimental description: Detects shellshock expressions in log files author: Florian Roth date: 2017/03/14 +modified: 2021/04/28 references: - - http://rubular.com/r/zxBfjWfFYs + - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf logsource: product: linux detection: - expression: - - /\(\)\s*\t*\{.*;\s*\}\s*;/ - condition: expression + keyword: + - '() { :;};' + - '() { :; };' + condition: keyword falsepositives: - Unknown level: high From 161180c35723b6671c1e165e243b13486368c19f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Apr 2021 11:47:24 +0200 Subject: [PATCH 056/254] refactor: extended shellshock rule --- rules/linux/lnx_shellshock.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 881621354..ba7fc1bb7 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -11,6 +11,8 @@ logsource: product: linux detection: keyword: + - '(){:;};' + - '() {:;};' - '() { :;};' - '() { :; };' condition: keyword From 7c8cca744f7fcbda46d6a4229ad6fa733232dfe2 Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Wed, 28 Apr 2021 17:48:17 +0200 Subject: [PATCH 057/254] chore: Revert log file changes for THOR sigma configuration Revert recent changes for Windows / Linux .log files for THOR because of massive performance impacts. --- tools/config/thor.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index e1e634b97..4c4ded456 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -222,13 +222,11 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" - linux-logfile: + linux-log: product: linux + sources: + - "File:*.log" + logfiles: category: logfile sources: - - "File:/*.log" - windows-logfile: - product: windows - category: logfile - sources: - - "File:?:\\*.log" + - "File:*.log" From 11982abec0b0e8100d9f8218ae12d06d93e2e3d5 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 28 Apr 2021 16:49:59 -0700 Subject: [PATCH 058/254] Add support for macOS rules and fix case sensitivity. --- tools/sigma/backends/limacharlie.py | 69 +++++++++++++++++++++++------ 1 file changed, 56 insertions(+), 13 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 4ae813633..383134a40 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -68,6 +68,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'isAllStringValues', 'keywordField', 'postOpMapper', + 'isCaseSensitive', ]) _allFieldMappings = { 'edr': { @@ -81,7 +82,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -93,7 +95,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogEDRFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows/process_creation/": SigmaLCConfig( topLevelParams = { @@ -120,7 +123,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = "event/COMMAND_LINE", - postOpMapper = _mapProcessCreationOperations + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = [] ), "dns//": SigmaLCConfig( topLevelParams = { @@ -132,7 +136,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "linux//": SigmaLCConfig( topLevelParams = { @@ -150,7 +155,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "unix//": SigmaLCConfig( topLevelParams = { @@ -168,7 +174,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = 'event/COMMAND_LINE', - postOpMapper = None + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] ), "netflow//": SigmaLCConfig( topLevelParams = { @@ -181,7 +188,8 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "/proxy/": SigmaLCConfig( topLevelParams = { @@ -197,7 +205,37 @@ _allFieldMappings = { }, isAllStringValues = False, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] + ), + "macos/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is mac", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Commandline": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = ['event/FILE_PATH'] ), }, "artifact": { @@ -210,7 +248,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -221,7 +260,8 @@ _allFieldMappings = { fieldMappings = _windowsEventLogArtifactFieldName, isAllStringValues = True, keywordField = None, - postOpMapper = None + postOpMapper = None, + isCaseSensitive = [] ), } } @@ -272,7 +312,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -291,6 +331,9 @@ class LimaCharlieBackend(BaseBackend): # Call to fixup all operations after the fact. self._postOpMapper = postOpMapper + # Event paths that are case sensitive. + self._isCaseSensitiveFS = isCaseSensitive + # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -453,7 +496,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal @@ -471,7 +514,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal From 3e5f7aeb5e56df851c3976543e6702dc89220898 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Apr 2021 09:56:26 +0200 Subject: [PATCH 059/254] rule: PowerShell Cmdlet Defender Exclusions --- .../win_powershell_defender_exclusion.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_powershell_defender_exclusion.yml diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml new file mode 100644 index 000000000..2a6191fc0 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml @@ -0,0 +1,32 @@ +title: Powershell Defender Exclusion +id: 17769c90-230e-488b-a463-e05c08e9d48f +status: experimental +description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +references: + - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus +tags: + - attack.defense_evasion + - attack.t1562.001 +author: Florian Roth +date: 2021/04/29 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: 'Add-MpPreference' + selection2: + CommandLine|contains: + - ' -ExclusionPath ' + - ' -ExclusionExtension ' + - ' -ExclusionProcess ' + selection_encoded: + CommandLine|contains: + - 'QWRkLU1wUHJlZmVyZW5jZ' + - 'FkZC1NcFByZWZlcmVuY2' + - 'BZGQtTXBQcmVmZXJlbmNl' + condition: ( selection1 and selection2 ) or selection_encoded +falsepositives: + - Possible Admin Activity + - Other Cmdlets that may use the same parameters +level: high From 8af86fa97e84fe347b5ba568dc0d0ceabb90b4d1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Apr 2021 12:33:10 +0200 Subject: [PATCH 060/254] docs: change title and add references --- ..._lateral_movement.yml => win_lateral_movement_condrv.yml} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename rules/windows/other/{win_lateral_movement.yml => win_lateral_movement_condrv.yml} (78%) diff --git a/rules/windows/other/win_lateral_movement.yml b/rules/windows/other/win_lateral_movement_condrv.yml similarity index 78% rename from rules/windows/other/win_lateral_movement.yml rename to rules/windows/other/win_lateral_movement_condrv.yml index 90f0bd727..737133055 100644 --- a/rules/windows/other/win_lateral_movement.yml +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -1,9 +1,12 @@ -title: Lateral Movement Indicator +title: Lateral Movement Indicator ConDrv id: 29d31aee-30f4-4006-85a9-a4a02d65306c status: stable description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. author: Janantha Marasinghe date: 2021/04/27 +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm + - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html tags: - attack.lateral_movement - attack.execution From 04709ab9f4eb50b8ea0fe0208546582f83860426 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Apr 2021 17:59:49 +0200 Subject: [PATCH 061/254] refactor: renamed procdump rule --- .../process_creation/win_renamed_procdump.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index 6a8fe0a84..8b9bad991 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2020/09/06 +modified: 2021/04/29 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -15,13 +15,21 @@ logsource: product: windows category: process_creation detection: - selection: + selection1: OriginalFileName: 'procdump' - filter: + filter1: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: selection and not filter + selection2: + CommandLine|contains|all: + - ' -ma ' + - ' -accepteula ' + filter2: + CommandLine|contains: + - '\procdump.exe' + - '\procdump64.exe' + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries From 020e6c9e2968de47e20d22ef4925259a7c4354e3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Apr 2021 18:23:14 +0200 Subject: [PATCH 062/254] fix: FP with Edge and call by ordinal --- .../process_creation/win_susp_rundll32_by_ordinal.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 2a850916d..e51a968d9 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -13,7 +13,7 @@ tags: - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 -modified: 2020/11/28 +modified: 2021/04/29 logsource: category: process_creation product: windows @@ -22,7 +22,11 @@ detection: CommandLine|contains|all: - '\rundll32.exe' - ',#' - condition: selection + filter: + CommandLine|contains|all: + - 'EDGEHTML.dll' + - '#141' + condition: selection and not filter falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Windows control panel elements have been identified as source (mmc) From 10fb216c9aeab090796d233e096130e01c7f7828 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Fri, 30 Apr 2021 12:03:27 -0400 Subject: [PATCH 063/254] Bump requests to 2.25 --- Pipfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Pipfile b/Pipfile index 7df1021b1..c8a358947 100644 --- a/Pipfile +++ b/Pipfile @@ -15,7 +15,7 @@ stix2 = "*" attackcti = "*" [packages] -requests = "~=2.23" +requests = "~=2.25" urllib3 = "~=1.25" progressbar2 = "~=3.47" pymisp = "~=2.4.123" From 80dc6aaf59629ace1cd95d6cebf108e89b01dbd7 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sat, 1 May 2021 20:54:26 +0200 Subject: [PATCH 064/254] Add FP and fix filters --- ...smon_registry_persistence_search_order.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 8e31caf6f..9d91337a9 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,9 +4,9 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut), oscd.community +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2020/11/28 +modified: 2021/05/01 tags: - attack.persistence - attack.t1038 # an old one @@ -20,20 +20,31 @@ detection: - 'HKU\' - '_Classes\CLSID\' - '\InProcServer32\(Default)' - filter: + filter1: - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' + filter2: - Details|contains|all: - '\AppData\Local\Microsoft\OneDrive\' - '\FileCoAuthLib64.dll' + filter3: - Details|contains|all: - '\AppData\Local\Microsoft\OneDrive\' - '\FileSyncShell64.dll' + filter4: + - Details|contains|all: + - '\AppData\Local\Microsoft\OneDrive\' + - '\FileSyncApi64.dll' + filter5: - Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' - '\Microsoft.Teams.AddinLoader.dll' - condition: selection and not filter + filter6: + - Details|contains|all: + - '\AppData\Roaming\Dropbox\' + - '\DropboxExt64.*.dll' + condition: selection and not ( filter1 or filter2 or filter3 or filter4 or filter5 or filter6 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium From 4aae26cabdb1ac5325e1c8b22dd96609f2791d50 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sat, 1 May 2021 21:05:34 +0200 Subject: [PATCH 065/254] Grouping filters --- ...smon_registry_persistence_search_order.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 9d91337a9..7f4b07fc4 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -24,27 +24,22 @@ detection: - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' - filter2: - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive: + - Details|contains: '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive2: + - Details|contains: - '\FileCoAuthLib64.dll' - filter3: - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' - '\FileSyncShell64.dll' - filter4: - - Details|contains|all: - - '\AppData\Local\Microsoft\OneDrive\' - '\FileSyncApi64.dll' - filter5: + filter2: - Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' - '\Microsoft.Teams.AddinLoader.dll' - filter6: + filter3: - Details|contains|all: - '\AppData\Roaming\Dropbox\' - '\DropboxExt64.*.dll' - condition: selection and not ( filter1 or filter2 or filter3 or filter4 or filter5 or filter6 ) + condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium From cc13a5e3de187f9a69c7e7fe3280e57f909b9fc1 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Sun, 2 May 2021 14:39:41 +0200 Subject: [PATCH 066/254] Add a backend option to specify table name for SQL Backend --- tools/sigma/backends/sql.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index bd734bfa6..077de1bbc 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -43,9 +43,16 @@ class SQLBackend(SingleTextQueryBackend): mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list mapLength = "(%s %s)" - def __init__(self, sigmaconfig, table): + options = SingleTextQueryBackend.options + ( + ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) - self.table = table + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] From 6605d302cd2811efb5bf5e9546736addd116d232 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 3 May 2021 13:05:21 +0200 Subject: [PATCH 067/254] fix: trying to fix pipenv issue --- .github/workflows/sigma-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index a68fc115f..d94d319dd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,6 +23,7 @@ jobs: run: | python -m pip install --upgrade pip pip install pipenv + pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules run: | From a9c837659b9fe95dd1461a6fa47628f0a3b5ccd5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 3 May 2021 15:30:33 +0200 Subject: [PATCH 068/254] backend: powershell: escape $ symbols in strings --- tools/sigma/backends/powershell.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index 192e5369d..b77f60ea3 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -29,7 +29,7 @@ class PowerShellBackend(SingleTextQueryBackend): ("csv", False, "Return the results in CSV format instead of Powershell objects", None), ) - reEscape = re.compile('("|(? Date: Mon, 3 May 2021 17:04:55 +0200 Subject: [PATCH 069/254] fix: too broad definition of *.log on linux --- tools/config/thor.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 4c4ded456..f08e541f1 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -222,10 +222,6 @@ logsources: sources: - "File:/var/log/syslog" - "File:/var/log/syslog.?" - linux-log: - product: linux - sources: - - "File:*.log" logfiles: category: logfile sources: From c6aeee958e27e5f81820b06f0415195f0740550e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 May 2021 09:27:11 +0200 Subject: [PATCH 070/254] rule: more named pipes by @blueteam0ps --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index badc331b7..f4dd7dc88 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -30,6 +30,10 @@ detection: # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - '\svcctl' #Crackmapexec smbexec default named pipe + - '\Posh*' #PoshC2 default + - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\csexecsvc' #CSEXEC default condition: selection tags: - attack.defense_evasion From ecb133f97d840886a0b078fb583a72b603d48911 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 May 2021 09:28:17 +0200 Subject: [PATCH 071/254] docs: extended authors of malicious pipe rule --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index f4dd7dc88..e425bf51b 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware references: - Various sources date: 2017/11/06 -author: Florian Roth +author: Florian Roth, blueteam0ps logsource: product: windows category: pipe_created From 8973b573bde4d4086e96a165f554a0dcfbf72038 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 May 2021 09:36:26 +0200 Subject: [PATCH 072/254] Update and rename rules/windows/other/win_Outlook_C2_Macro_Creation.yml to rules/windows/file_event/win_outlook_c2_macro_creation.yml --- .../win_outlook_c2_macro_creation.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/{other/win_Outlook_C2_Macro_Creation.yml => file_event/win_outlook_c2_macro_creation.yml} (74%) diff --git a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml similarity index 74% rename from rules/windows/other/win_Outlook_C2_Macro_Creation.yml rename to rules/windows/file_event/win_outlook_c2_macro_creation.yml index eec322406..e2b9f0c1e 100644 --- a/rules/windows/other/win_Outlook_C2_Macro_Creation.yml +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -1,7 +1,7 @@ -title: BEC - Outlook C2 Macro Creation +title: Outlook C2 Macro Creation id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 status: experimental -description: Detects the creation of a macro file for Outlook. Goes with win_Outlook_C2_Registry_Key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events (Registry & File Creation happens at the same time. +description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' From 4ad3316d742e3cd1c9c0a861987496815fe18ed2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 May 2021 09:41:38 +0200 Subject: [PATCH 073/254] Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml --- .../win_outlook_C2_registry_key.yml} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename rules/windows/{other/win_Outlook_C2_Registry_Key.yml => registry_event_write/win_outlook_C2_registry_key.yml} (62%) diff --git a/rules/windows/other/win_Outlook_C2_Registry_Key.yml b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml similarity index 62% rename from rules/windows/other/win_Outlook_C2_Registry_Key.yml rename to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml index 0bf6930a0..e30550167 100644 --- a/rules/windows/other/win_Outlook_C2_Registry_Key.yml +++ b/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml @@ -1,7 +1,7 @@ -title: BEC - Outlook C2 Registry Key +title: Outlook C2 Registry Key id: e3b50fa5-3c3f-444e-937b-0a99d33731cd status: experimental -description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_Outlook_C2_Macro_Creation.yml and is particularly interesting if both events occur near to each other. +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' @@ -13,12 +13,12 @@ tags: - attack.t1546 date: 2021/04/05 logsource: - category: registry_event + category: registry_event_write product: windows detection: selection_registry: - TargetObject: - - 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' + TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + Details|contains: '0x00000001' condition: selection_registry falsepositives: - Unlikely From 5a98e36905375f3a1e5893aee6b6b02891185877 Mon Sep 17 00:00:00 2001 From: partyh4rd <31990479+P4rtyH4RD@users.noreply.github.com> Date: Tue, 4 May 2021 14:04:52 +0300 Subject: [PATCH 074/254] Update powershell_suspicious_getprocess_lsass.yml fix mitre_code 1552.004 -> 1003.001 --- .../powershell/powershell_suspicious_getprocess_lsass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index b89b2b086..cb8754e21 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/PythonResponder/status/1385064506049630211 tags: - attack.credential_access - - attack.t1552.004 + - attack.t1003.001 author: Florian Roth date: 2021/04/23 logsource: From 3926e2388fdc1ee684e29796a2721969b8d55312 Mon Sep 17 00:00:00 2001 From: John Connor McLaughlin Date: Tue, 4 May 2021 15:23:47 -0400 Subject: [PATCH 075/254] Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html --- tools/config/winlogbeat-modules-enabled.yml | 1 + tools/config/winlogbeat-old.yml | 1 + tools/config/winlogbeat.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7e91eb360..2a4bf2621 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -135,6 +135,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 34fef1fdd..789d5f2b8 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -119,6 +119,7 @@ fieldmappings: ProcessName: event_data.ProcessName Product: event_data.Product Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 9bb3c5559..1b1f4bdea 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -125,6 +125,7 @@ fieldmappings: Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SAMAccountName: winlog.event_data.SamAccountName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName From d4bd69dd77bb77a896a9211c8d363928c3e220fd Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 4 May 2021 18:13:08 -0400 Subject: [PATCH 076/254] Suspicious DNS Z Flag Set The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tools.ietf.org/html/rfc2929#section-2.1' - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' --- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml new file mode 100644 index 000000000..5ea101f56 --- /dev/null +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -0,0 +1,61 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1094 + - attack.t1043 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + exclude_responses: + answers|endswith: '\\x00' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses) +falsepositive: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: +- ts +- id.orig_h +- id.orig_p +- id.resp_h +- id.resp_p +- proto +- qtype_name +- qtype +- query +- answers +- rcode +- rcode_name +- trans_id +- qtype +- ttl +- AA +- uid From 415219907321173dabde42fda6d0b3d7d19fac06 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 4 May 2021 18:27:05 -0400 Subject: [PATCH 077/254] add netbios port exclusion netbios - every defenders nightmare and reality of FPs --- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 5ea101f56..d1bbe0e48 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -36,26 +36,31 @@ detection: - 'ns' exclude_responses: answers|endswith: '\\x00' - condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses) + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) falsepositive: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' level: medium fields: -- ts -- id.orig_h -- id.orig_p -- id.resp_h -- id.resp_p -- proto -- qtype_name -- qtype -- query -- answers -- rcode -- rcode_name -- trans_id -- qtype -- ttl -- AA -- uid + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid From 1352f0b0a6ccb82d8edc389b5aa90b6cd4877bd1 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 5 May 2021 12:37:50 +0545 Subject: [PATCH 078/254] Added rule for Pingback backdoor --- .../sysmon/sysmon_pingback_backdoor.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_pingback_backdoor.yml diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml new file mode 100644 index 000000000..5aa9dc93e --- /dev/null +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -0,0 +1,47 @@ +action: global +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +falsepositives: + - Very unlikely +level: high +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +--- +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'updata.exe' + CommandLine|contains|all: + - 'config' + - 'msdtc' + - 'start' + - 'auto' + condition: selection From 4529fbd1f3ba3d96b14c854113adb6f2d7b55a1d Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 5 May 2021 12:48:29 +0545 Subject: [PATCH 079/254] Fixed too many spaces after hyphen error --- rules/windows/sysmon/sysmon_pingback_backdoor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml index 5aa9dc93e..085c739e9 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -41,7 +41,7 @@ detection: ParentImage|endswith: 'updata.exe' CommandLine|contains|all: - 'config' - - 'msdtc' + - 'msdtc' - 'start' - 'auto' condition: selection From 15ab1d5e8b129dd567ff28e67b1aaa5aec8badcb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 11:55:49 +0200 Subject: [PATCH 080/254] Create lnx_symlink_etc_passwd.yml --- rules/linux/lnx_symlink_etc_passwd.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/linux/lnx_symlink_etc_passwd.yml diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml new file mode 100644 index 000000000..af79eef75 --- /dev/null +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -0,0 +1,19 @@ +title: Symlink Etc Passwd +id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 +status: experimental +description: Detects suspicious command lines that look as if they would create symbolic links from or to /etc/passwd +author: Florian Roth +date: 2019/04/05 +references: + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +logsource: + product: linux +detection: + keywords|contains|all: + - 'ln ' + - ' -s ' + - '/etc/passwd' + condition: keywords +falsepositives: + - Unknown +level: high From 0e9176776d957ab10481793caa3e98ec1390822e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 12:11:59 +0200 Subject: [PATCH 081/254] refactor: moved rule --- .../win_outlook_C2_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/{registry_event_write => registry_event}/win_outlook_C2_registry_key.yml (96%) diff --git a/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml b/rules/windows/registry_event/win_outlook_C2_registry_key.yml similarity index 96% rename from rules/windows/registry_event_write/win_outlook_C2_registry_key.yml rename to rules/windows/registry_event/win_outlook_C2_registry_key.yml index e30550167..4d6524277 100644 --- a/rules/windows/registry_event_write/win_outlook_C2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_C2_registry_key.yml @@ -13,7 +13,7 @@ tags: - attack.t1546 date: 2021/04/05 logsource: - category: registry_event_write + category: registry_event product: windows detection: selection_registry: From 44097243bf8ff30d957747a853dbec95032aa21a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 12:12:08 +0200 Subject: [PATCH 082/254] rule: dell driver load --- .../sysmon_vuln_dell_driver_load.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml new file mode 100644 index 000000000..c050853f6 --- /dev/null +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -0,0 +1,25 @@ +title: Vulnerable Dell BIOS Update Driver Load +id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 +description: Detects the load of the vulnerable Dell BIOS update driver +author: Florian Roth +date: 2021/05/05 +references: + - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ +logsource: + category: driver_load + product: windows +detection: + selection_image: + ImageLoaded|contains: '\DBUtil_2_3.Sys' + selection_hash: + Hashes|contains: + - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' + - 'c948ae14761095e4d76b55d9de86412258be7afd' + - 'c996d7971c49252c582171d9380360f2' + - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - '10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'd2fd132ab7bbc6bbb87a84f026fa0244' + condition: selection_image or selection_hash +falsepositives: + - legitimate BIOS driver updates (should be rare) +level: high From 0ca2d052473c695f334d34ce19818b106a4fb0b8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 12:26:59 +0200 Subject: [PATCH 083/254] revert changes to powershell backend --- tools/sigma/backends/powershell.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index b77f60ea3..192e5369d 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -29,7 +29,7 @@ class PowerShellBackend(SingleTextQueryBackend): ("csv", False, "Return the results in CSV format instead of Powershell objects", None), ) - reEscape = re.compile('("|(? Date: Wed, 5 May 2021 12:56:24 +0200 Subject: [PATCH 084/254] fix: linux keywords rule --- rules/linux/lnx_symlink_etc_passwd.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml index af79eef75..9d20a1896 100644 --- a/rules/linux/lnx_symlink_etc_passwd.yml +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -1,7 +1,7 @@ title: Symlink Etc Passwd id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 status: experimental -description: Detects suspicious command lines that look as if they would create symbolic links from or to /etc/passwd +description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd author: Florian Roth date: 2019/04/05 references: @@ -9,10 +9,9 @@ references: logsource: product: linux detection: - keywords|contains|all: - - 'ln ' - - ' -s ' - - '/etc/passwd' + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' condition: keywords falsepositives: - Unknown From a9417b3f7b46b3bdb2ace266686098ad54172ed3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 12:59:13 +0200 Subject: [PATCH 085/254] docs: better error highlighting --- tools/sigma/sigmac.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index a3994e615..af5a1147d 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -243,23 +243,23 @@ def main(): print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: - print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: - print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: - print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: - print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: @@ -272,13 +272,13 @@ def main(): if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: - print("Partial field match error: %s" % str(e), file=sys.stderr) + print("Error: Partial field match error: %s" % str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: - print("Full field match error", file=sys.stderr) + print("Error: Full field match error", file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: From 80c7899c56e1281e6ca6f2be1edfaa6f18e1fe1b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 14:27:36 +0200 Subject: [PATCH 086/254] rule: whoami priv --- .../process_creation/win_whoami_priv.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_whoami_priv.yml diff --git a/rules/windows/process_creation/win_whoami_priv.yml b/rules/windows/process_creation/win_whoami_priv.yml new file mode 100644 index 000000000..3cd02819c --- /dev/null +++ b/rules/windows/process_creation/win_whoami_priv.yml @@ -0,0 +1,23 @@ +title: Run Whoami Showing Privileges +id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b +status: experimental +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +author: Florian Roth +date: 2021/05/05 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\whoami.exe' + CommandLine|contains: '/priv' + condition: selection +falsepositives: + - Administrative activity (rare lookups on current privileges) +level: high From 9e662b91595d6c10d281c5e0d3464c58d442f1e8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 14:31:01 +0200 Subject: [PATCH 087/254] Update sysmon_vuln_dell_driver_load.yml --- rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index c050853f6..39517aa8b 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -1,6 +1,6 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -description: Detects the load of the vulnerable Dell BIOS update driver +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 author: Florian Roth date: 2021/05/05 references: @@ -8,6 +8,8 @@ references: logsource: category: driver_load product: windows +tags: + - cve.2021-21551 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' @@ -19,6 +21,9 @@ detection: - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - 'd2fd132ab7bbc6bbb87a84f026fa0244' + + + condition: selection_image or selection_hash falsepositives: - legitimate BIOS driver updates (should be rare) From 4b520de3734a1bd2eac3684107d538acd52104ad Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:05:06 +0200 Subject: [PATCH 088/254] new rule detecting ld.so preload persistence by keyword --- rules/linux/lnx_ldso_preload_injection.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 rules/linux/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..be1b937b7 --- /dev/null +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -0,0 +1,17 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keyword: + - '/etc/ld.so.preload' + condition: keyword +falsepositives: + - rare temporary workaround for library misconfiguration +level: high From 254a3bb1226b7fee54b7361124d091d623091497 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:06:00 +0200 Subject: [PATCH 089/254] new rules detecting the creation of a local hidden user --- .../builtin/win_hidden_user_creation.yml | 25 +++++++++++++++++++ .../sysmon_registry_add_local_hidden_user.yml | 23 +++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 rules/windows/builtin/win_hidden_user_creation.yml create mode 100644 rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml new file mode 100644 index 000000000..8dee8a7c3 --- /dev/null +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -0,0 +1,25 @@ +title: Hidden Local User Creation +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. +status: experimental +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 +author: Christian Burkard +date: 2021/05/03 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4720 + TargetUserName|endswith: '$' + condition: selection +fields: + - EventCode + - AccountName +falsepositives: + - unkown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml new file mode 100644 index 000000000..3cd86d664 --- /dev/null +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -0,0 +1,23 @@ +title: Creation of a local hidden user account by Registry +id: 460479f3-80b7-42da-9c43-2cc1d54dbccd +description: Sysmon registry detection of a local hidden user account. +status: experimental +date: 2021/05/03 +author: Christian Burkard +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +logsource: + product: windows + service: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' + TargetObject|endswith: '$' + Image|endswith: "lsass.exe" + condition: selection +falsepositives: + - unknown +level: high From da533c74251ae8502654a9ef69b9f65304a97f58 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:22:09 +0200 Subject: [PATCH 090/254] fixed title capitalization --- .../registry_event/sysmon_registry_add_local_hidden_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 3cd86d664..61841f9bc 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -1,4 +1,4 @@ -title: Creation of a local hidden user account by Registry +title: Creation of a Local Hidden User Account by Registry id: 460479f3-80b7-42da-9c43-2cc1d54dbccd description: Sysmon registry detection of a local hidden user account. status: experimental From 1574d263ccfb4be2b640f78e26532201d8485661 Mon Sep 17 00:00:00 2001 From: JohnConnorRF Date: Wed, 5 May 2021 10:25:36 -0400 Subject: [PATCH 091/254] Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 --- tools/config/winlogbeat-modules-enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 2a4bf2621..a3034b7c5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -135,7 +135,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName - ScriptBlockText: winlog.event_data.ScriptBlockText + ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName From e5f95cac0ceca6bd35393ac36f323ce3a4d32e87 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Thu, 6 May 2021 17:29:20 +0545 Subject: [PATCH 092/254] Added rule for Moriya rootkit --- rules/windows/builtin/win_moriya_rootkit.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_moriya_rootkit.yml diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml new file mode 100644 index 000000000..d3eb94af6 --- /dev/null +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -0,0 +1,33 @@ +action: global +title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +level: Critical +falsepositives: + - None +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: ZzNetSvc + condition: selection +--- +logsource: + product: windows + service: file_event +detection: + selection: + TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' + condition: selection From 79c11a5cba52e41ffdcf5b392b0839934a08e8a8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 6 May 2021 14:59:28 +0200 Subject: [PATCH 093/254] Update win_moriya_rootkit.yml --- rules/windows/builtin/win_moriya_rootkit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index d3eb94af6..544f3ae89 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,11 +1,11 @@ action: global title: Moriya Rootkit id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +description: 'Detects the use of Moriya rootkit as described in the securelist\'s Operation TunnelSnake report' status: experimental author: Bhabesh Raj date: 2021/05/06 -level: Critical +level: critical falsepositives: - None references: From 453fa0f299333d7ed7746082ac26955411cc094a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 6 May 2021 15:24:21 +0200 Subject: [PATCH 094/254] Update win_moriya_rootkit.yml --- rules/windows/builtin/win_moriya_rootkit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 544f3ae89..2458d0c93 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,7 +1,7 @@ action: global title: Moriya Rootkit id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -description: 'Detects the use of Moriya rootkit as described in the securelist\'s Operation TunnelSnake report' +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report status: experimental author: Bhabesh Raj date: 2021/05/06 From 39a21a9e891cad524af66a9356d48e702cdb9406 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 6 May 2021 14:14:08 -0500 Subject: [PATCH 095/254] Got Rid of References that are no longer valid. --- rules/windows/process_creation/win_susp_certutil_command.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 26cc7c489..b643eb4fc 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -8,8 +8,6 @@ date: 2019/01/16 modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 From ad3b829f2d9eb5afa614cc55e01b3ce9ca625618 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+2d4d@users.noreply.github.com> Date: Sat, 8 May 2021 08:49:17 +0200 Subject: [PATCH 096/254] Update av_webshell.yml Added new strings and moved some from startwith to contains. --- rules/windows/malware/av_webshell.yml | 47 +++++++++++++++++++++------ 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3942662be..3d9cc3105 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,14 +1,19 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. date: 2018/09/09 -modified: 2001/01/07 +modified: 2021/05/08 author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 @@ -18,26 +23,48 @@ logsource: detection: selection: - Signature|startswith: - - "PHP/Backdoor" - - "JSP/Backdoor" - - "ASP/Backdoor" - - "Backdoor.PHP" - - "Backdoor.JSP" - - "Backdoor.ASP" - - "Backdoor?Java" + - "PHP/" + - "JSP/" + - "ASP/" + - "Perl/" + - "PHP." + - "JSP." + - "ASP." + - "Perl." + - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops + - "IIS/BackDoor" + - "JAVA/Backdoor" + - "Troj/ASP" + - "Troj/PHP" + - "Troj/JSP" - Signature|contains: - "Webshell" - "Chopper" + - "SinoChoper" - "ASPXSpy" - "Aspdoor" + - "filebrowser" + - "PHP_" + - "JSP_" + - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops - "PHP:" + - "JSP:" + - "ASP:" + - "Perl:" - "PHPShell" - "Trojan.PHP" - "Trojan.ASP" - "Trojan.JSP" + - "Trojan.VBS" - "PHP?Agent" - "ASP?Agent" - "JSP?Agent" + - "VBS?Agent" + - "Backdoor?PHP" + - "Backdoor?JSP" + - "Backdoor?ASP" + - "Backdoor?VBS" + - "Backdoor?Java" condition: selection fields: - FileName From b9fc25712470f6c1e3b3b8eb0996ef07bc34bb6a Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+2d4d@users.noreply.github.com> Date: Sun, 9 May 2021 00:03:47 +0200 Subject: [PATCH 097/254] Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) --- rules/windows/malware/av_relevant_files.yml | 34 ++++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 4975c1e95..c200959a2 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 -modified: 2019/10/04 -author: Florian Roth +modified: 2021/05/09 +author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ logsource: product: antivirus detection: selection: - FileName|startswith: - - 'C:\Windows\Temp\' + - 'C:\Windows\' - 'C:\Temp\' - 'C:\PerfLogs\' - 'C:\Users\Public\' - 'C:\Users\Default\' - FileName|contains: - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' selection2: Filename|endswith: - '.ps1' + - '.psm1' - '.vbs' - '.bat' + - '.cmd' + - '.sh' - '.chm' - '.xml' - '.txt' @@ -30,8 +40,18 @@ detection: - '.jspx' - '.asp' - '.aspx' + - '.ashx' + - '.asax' + - '.asmx' - '.php' + - '.cfm' + - '.py' + - '.pyc' + - '.pl' + - '.rb' + - '.cgi' - '.war' + - '.ear' - '.hta' - '.lnk' - '.scf' @@ -39,6 +59,12 @@ detection: - '.vbe' - '.wsf' - '.wsh' + - '.gif' + - '.png' + - '.jpg' + - '.jpeg' + - '.svg' + - '.dat' condition: selection or selection2 fields: - Signature From 0bee1b006f75265df16101360390d41313fe8879 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Sat, 8 May 2021 21:37:25 -0400 Subject: [PATCH 098/254] fix - add date --- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index d1bbe0e48..ec83f8866 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -1,6 +1,7 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +date: 2021/05/04 references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' From 9c8b9756e5f4b1d97087dffa832124f165452d54 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Mon, 10 May 2021 14:06:53 +0545 Subject: [PATCH 099/254] Added rule for RClone usage for exfiltration --- .../sysmon_rclone_execution.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_rclone_execution.yml diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml new file mode 100644 index 000000000..6cf58dc45 --- /dev/null +++ b/rules/windows/process_creation/sysmon_rclone_execution.yml @@ -0,0 +1,32 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj +date: 2021/05/10 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + condition: 1 of them From fcb7aa3bcfc71dffaf27f80079f08c83078d9245 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 10 May 2021 12:42:59 +0200 Subject: [PATCH 100/254] fix: FPs with rules --- .../process_creation/sysmon_proxy_execution_wuauclt.yml | 6 ++++-- .../process_creation/win_non_interactive_powershell.yml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 1a680821f..3feffbd61 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -3,7 +3,7 @@ id: c649a6c7-cd8c-4a78-9c04-000fc76df954 description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. status: experimental date: 2020/10/12 -modified: 2021/04/12 +modified: 2021/05/10 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth tags: - attack.defense_evasion @@ -23,7 +23,9 @@ detection: - '.dll' - 'RunHandlerComServer' filter: - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + CommandLine|contains: + - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + - ' wuaueng.dll ' condition: selection_one and selection_two and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 32caed855..a853048fe 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -3,7 +3,7 @@ id: f4bbd493-b796-416e-bbf2-121235348529 description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/10 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md @@ -18,7 +18,9 @@ detection: selection: Image|endswith: '\powershell.exe' filter: - ParentImage|endswith: '\explorer.exe' + ParentImage|endswith: + - '\explorer.exe' + - '\CompatTelRunner.exe' condition: selection and not filter falsepositives: - Legitimate programs executing PowerShell scripts From 416030a85f340cf929229de5eff790c1a5471541 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 10 May 2021 12:43:14 +0200 Subject: [PATCH 101/254] rule: cobaltstrike malformed UAs --- rules/proxy/proxy_cobalt_malformed_uas.yml | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/proxy/proxy_cobalt_malformed_uas.yml diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml new file mode 100644 index 000000000..419c0f120 --- /dev/null +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -0,0 +1,25 @@ +title: CobaltStrike Malformed UAs in Malleable Profiles +id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 +status: experimental +description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike +author: Florian Roth +date: 2021/05/06 +references: + - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ +logsource: + category: proxy +detection: + selection: + c-useragent: + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + condition: selection +falsepositives: + - Unknown +level: critical +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one From d90965af385981ec270c7b3d9016377e254195d4 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Mon, 10 May 2021 20:28:37 +0545 Subject: [PATCH 102/254] Updated rule for Advanced IP Scanner --- .../win_advanced_ip_scanner.yml | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml index 4f3e93244..6468eaaaf 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml @@ -1,3 +1,4 @@ +action: global title: Advanced IP Scanner id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: experimental @@ -5,11 +6,18 @@ description: Detects the use of Advanced IP Scanner. Seems to be a popular tool references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html + - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc + - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf + - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' -date: 2020/05/12 +date: 2021/05/10 tags: - attack.discovery - attack.t1046 +falsepositives: + - Legitimate administrative use +level: medium +--- logsource: category: process_creation product: windows @@ -17,6 +25,11 @@ detection: selection: Image|contains: '\advanced_ip_scanner' condition: selection -falsepositives: - - Legitimate administrative use -level: medium +--- +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2' + condition: selection From a1b0dfc0cdc029f30829d3c674ff005e7aa046ef Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 10:49:10 +0200 Subject: [PATCH 103/254] Correct cast-sensitive Key "DestinationIp" --- .../windows/network_connection/sysmon_rdp_reverse_tunnel.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index ad50510af..b42525448 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden date: 2019/02/16 -modified: 2020/08/24 +modified: 2021/05/11 tags: - attack.command_and_control - attack.t1572 @@ -25,7 +25,7 @@ detection: selection2: - DestinationIp|startswith: - '127.' - - DestinationIP: + - DestinationIp: - '::1' condition: selection and selection2 falsepositives: From 720dd24814d47f97e103a2a0f67c71996e7b0c74 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:13:33 +0200 Subject: [PATCH 104/254] Correct cast-sensitive Key "OriginalFilename" --- rules/windows/process_creation/win_hack_secutyxploded.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d36b3844d..d8899df42 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -6,7 +6,7 @@ references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ date: 2018/12/19 -modified: 2020/09/01 +modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 @@ -21,7 +21,7 @@ detection: selection2: Image|endswith: 'PasswordDump.exe' selection3: - OriginalFilename|endswith: 'PasswordDump.exe' + OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of them falsepositives: - unlikely From c4c720cc304c28febe4e200f53f3c4b51c7b32a2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:16:12 +0200 Subject: [PATCH 105/254] Correct cast-sensitive Key "OriginalFileName" --- rules/windows/process_creation/win_susp_csi.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index 6599c02b5..ee19fca90 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -4,6 +4,7 @@ description: Csi.exe is a signed binary from Micosoft that comes with Visual Stu status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 +modified: 2021/05/11 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml @@ -22,8 +23,8 @@ detection: - Image|endswith: '\csi.exe' - Image|endswith: '\rcsi.exe' renamed: - - OriginalFilename: 'csi.exe' - - OriginalFilename: 'rcsi.exe' + - OriginalFileName: 'csi.exe' + - OriginalFileName: 'rcsi.exe' selection: Company: 'Microsoft Corporation' condition: (basic or renamed) and selection From f07c368ae0e841808c139c03aa72767c44718f14 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:18:01 +0200 Subject: [PATCH 106/254] Correct cast-sensitive Key "OriginalFileName" --- rules/windows/process_creation/win_susp_renamed_debugview.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index dcab5bd63..f421c1cd6 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -15,7 +15,7 @@ detection: - 'Sysinternals DebugView' - 'Sysinternals Debugview' filter: - OriginalFilename: 'Dbgview.exe' + OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' condition: selection and not filter falsepositives: From 48487385ef9acab85373f1397ea995408cd5d3a4 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 11 May 2021 19:17:32 +0545 Subject: [PATCH 107/254] Preserved creation date --- rules/windows/process_creation/win_advanced_ip_scanner.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml index 6468eaaaf..a62d72602 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml @@ -10,7 +10,8 @@ references: - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' -date: 2021/05/10 +date: 2020/05/12 +modified: 2021/05/11 tags: - attack.discovery - attack.t1046 From 026320f613d9d682af21547ca773c26fc1ccfc3e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:36:42 +0200 Subject: [PATCH 108/254] registry_event is a category --- .../sysmon_sysinternals_sdelete_registry_keys.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index 5a0e5fb05..ea6a92f21 100644 --- a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete' From 70a5c8bb5f7f78be1bd2601dec61202c803c47c4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:51:38 +0200 Subject: [PATCH 109/254] registry_event is a category --- .../registry_event/sysmon_registry_add_local_hidden_user.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 61841f9bc..0b9558835 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -3,6 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd description: Sysmon registry detection of a local hidden user account. status: experimental date: 2021/05/03 +modified: 2021/05/12 author: Christian Burkard tags: - attack.persistence @@ -11,7 +12,7 @@ references: - https://twitter.com/SBousseaden/status/1387530414185664538 logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' From cf0a710b4d89337612a7a1f3ccbba7d4ccf00916 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:55:35 +0200 Subject: [PATCH 110/254] process_creation is a category --- rules/windows/process_creation/win_susp_wuauclt.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 55659f9a0..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,7 +14,7 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: ProcessCommandLine|contains|all: From ecc0fcb082ca42491dac0a043a0c010927f1c908 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:57:57 +0200 Subject: [PATCH 111/254] process_creation is a category --- rules/windows/process_creation/win_susp_adfind.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index eca94458b..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2020/05/08/adfind-recon/ author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 -modified: 2020/10/11 +modified: 2021/05/12 tags: - attack.discovery - attack.t1018 @@ -17,7 +17,7 @@ tags: - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: CommandLine|contains: From fa72242ff07b7081c98ea1d2b466a4569f6dc650 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:59:51 +0200 Subject: [PATCH 112/254] image_load is a category --- rules/windows/image_load/sysmon_susp_python_image_load.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index d5fa64cb8..ba7f3d7d4 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 +modified: 2021/05/12 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'Python Core' From 0fd8606e0083b8fcbb6164b6d97ad7a888b42f6c Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 09:02:04 +0200 Subject: [PATCH 113/254] image_load is a category --- .../sysmon_alternate_powershell_hosts_moduleload.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..a3dc360ed 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -11,7 +12,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'system.management.automation' From cccfb3e59e6ef9201a139375cda1a9295a6fd1a6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 09:05:52 +0200 Subject: [PATCH 114/254] file_event is a category --- rules/windows/builtin/win_moriya_rootkit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 2458d0c93..70636d9fa 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -5,6 +5,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's status: experimental author: Bhabesh Raj date: 2021/05/06 +modified: 2021/05/12 level: critical falsepositives: - None @@ -26,7 +27,7 @@ detection: --- logsource: product: windows - service: file_event + category: file_event detection: selection: TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' From 8944ccea04c6548541cef62b84b5d1728d3f2c7e Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 06:19:04 +0200 Subject: [PATCH 115/254] Modified some field values for case sensitive backends (SQL) --- .../sysmon_alternate_powershell_hosts_moduleload.yml | 4 ++-- .../image_load/sysmon_powershell_execution_moduleload.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..da11d28d9 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -14,8 +14,8 @@ logsource: service: image_load detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' filter: Image|endswith: '\powershell.exe' condition: selection and not filter diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index b0d0303f9..bb3cbec63 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' condition: selection fields: - ComputerName From 5e99379803821d3088b3a4eb227c54a1111d368f Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 15:01:52 +0200 Subject: [PATCH 116/254] Change to have raw log in rule results with SQL/SQlite Backends --- tools/sigma/backends/sql.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 077de1bbc..bc55a1ba1 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -1,6 +1,7 @@ # Output backends for sigmac # Copyright 2019 Jayden Zheng # Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -169,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend): group_by = "" if agg.aggfield: - select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - select = "{}(*) AS agg".format(agg.aggfunc_notrans) + select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) From 972f7a562b7fea4a9649f1b0189a0c427cc3f989 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 17:51:54 +0200 Subject: [PATCH 117/254] Updated SQL/SQLite backend tests --- tools/tests/test_backend_sql.py | 18 +++++++++--------- tools/tests/test_backend_sqlite.py | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py index b4bd82026..b30da675d 100644 --- a/tools/tests/test_backend_sql.py +++ b/tools/tests/test_backend_sql.py @@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase): # count detection = {"selection": {"fieldname": "test"}, "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase): # min detection = {"selection": {"fieldname1": "test"}, "condition": "selection | min(fieldname2) > 5"} - inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase): # max detection = {"selection": {"fieldname1": "test"}, "condition": "selection | max(fieldname2) > 5"} - inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase): # avg detection = {"selection": {"fieldname1": "test"}, "condition": "selection | avg(fieldname2) > 5"} - inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase): # sum detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) > 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase): # < detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) < 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query) self.validate(detection, expected_result) @@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase): # == detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase): # group by detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) by fieldname3 == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase): # multiple conditions detection = {"selection": {"fieldname1": "test"}, "filter": { "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py index ac7647739..294a59de2 100644 --- a/tools/tests/test_backend_sqlite.py +++ b/tools/tests/test_backend_sqlite.py @@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase): # aggregation with fts detection = {"selection": ["test"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) detection = {"selection": ["test1", "test2"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase): # aggregation + group by + fts detection = {"selection": ["test1", "test2"], "condition": "selection | count() by fieldname > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) From 534898a3ce785898da8675fc2de2b5ef61490062 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 21:47:22 +0200 Subject: [PATCH 118/254] Resolves #1450 - Bug in es-rule backend when using "-r" argument --- tools/sigma/backends/elasticsearch.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a60c8cc3a..1c1d5e91c 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1381,6 +1381,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) + self.rule_type = "query" + self.rule_threshold = {} return json.dumps(rule) class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): From 3cf1be9e8da97ce2eaf1b83517d4b5703f5d78ee Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 10:08:41 +0200 Subject: [PATCH 119/254] rule: exchange vulnerability CVE-2021-28480 --- .../web/web_expl_exchange_cve_2021_28480.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/web/web_expl_exchange_cve_2021_28480.yml diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml new file mode 100644 index 000000000..62cd6efd5 --- /dev/null +++ b/rules/web/web_expl_exchange_cve_2021_28480.yml @@ -0,0 +1,23 @@ +title: Exchange Exploitation CVE-2021-28480 +id: a2a9d722-0acb-4096-bccc-daaf91a5037b +status: experimental +description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480 +references: + - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +author: Florian Roth +date: 2021/05/14 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/owa/calendar/a' + cs-method: 'POST' + filter: + sc-status: 503 + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file From e4a1ce4498ed0445449b1cefb9297cc3b9e3de2f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 17:34:52 +0200 Subject: [PATCH 120/254] rule: ngrok rdp port exposure --- .../process_creation/win_susp_ngrok_pua.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_ngrok_pua.yml diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml new file mode 100644 index 000000000..f27744e72 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -0,0 +1,24 @@ +title: Ngrok RDP Exposure Pattern +id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected RDP service publicly available +status: experimental +references: + - https://ngrok.com/docs + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp +author: Florian Roth +date: 2021/05/14 +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' tcp 3389' + condition: selection +falsepositives: + - Another tool that uses the command line switches of Ngrok +level: high From a655c5c1a0daf5c07a7851769adc579273472f33 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 17:44:53 +0200 Subject: [PATCH 121/254] update ngrok rule --- .../process_creation/win_susp_ngrok_pua.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml index f27744e72..d67b98750 100644 --- a/rules/windows/process_creation/win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -1,11 +1,12 @@ -title: Ngrok RDP Exposure Pattern +title: Ngrok Usage id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 -description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected RDP service publicly available +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available status: experimental references: - https://ngrok.com/docs - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp + - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection author: Florian Roth date: 2021/05/14 tags: @@ -15,10 +16,16 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: CommandLine|contains: - ' tcp 3389' - condition: selection + selection2: + CommandLine|contains|all: + - ' start ' + - '--all' + - '--config' + - '.yml' + condition: 1 of them falsepositives: - Another tool that uses the command line switches of Ngrok level: high From 48757423efd2f5654c75a3c7f0094656d63c94bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 18:06:53 +0200 Subject: [PATCH 122/254] rule darkside patterns --- rules/windows/malware/win_mal_darkside.yml | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/malware/win_mal_darkside.yml diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml new file mode 100644 index 000000000..bd71ca991 --- /dev/null +++ b/rules/windows/malware/win_mal_darkside.yml @@ -0,0 +1,28 @@ +title: DarkSide Ransomware Pattern +id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c +author: Florian Roth +date: 2021/05/14 +description: Detects DarkSide Ransomware and helpers +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ + - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - "=[char][byte]('0x'+" + - ' -work worker0 -path ' + selection2: + ParentCommandLine|contains: + - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contians: + - '\AppData\Local\Temp\' + condition: 1 of them +falsepositives: + - Unknown + - UAC bypass method used by other malware +level: critical From 526ab4f707c4f56dc4eb540d58c2bfc0e7cfb066 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:02:49 +0200 Subject: [PATCH 123/254] feat: trademark test case --- tests/test_rules.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 160c98dfa..9fc340ccc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -17,6 +17,8 @@ from colorama import Fore class TestRules(unittest.TestCase): MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules + TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" @@ -58,6 +60,19 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + "There are rule files with extensions other than .yml") + def test_legal_trademark_violations(self): + files_with_legal_issues = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + with open(file, 'r') as fh: + file_data = fh.read() + for tm in self.TRADE_MARKS: + if tm in file_data: + files_with_legal_issues.append(file) + + self.assertEqual(files_with_legal_issues, [], Fore.RED + + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] From 02bf32ce6cf46399ccb284cc58801ffb8877e704 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:09:08 +0200 Subject: [PATCH 124/254] fixed more legal issues --- .../silenttrinity_stager_msbuild_activity.yml | 2 +- tests/test_rules.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index 124148c19..ab68f0b04 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -4,7 +4,7 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - attack.execution # example MITRE ATT&CK category + - attack.execution - attack.t1127.001 status: experimental author: Kiran kumar s, oscd.community diff --git a/tests/test_rules.py b/tests/test_rules.py index 9fc340ccc..9849bbdd0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -372,9 +372,10 @@ class TestRules(unittest.TestCase): for key in logsource: if key.lower() not in ['category', 'product', 'service', 'definition']: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + def get_mitre_data(): """ - Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data + Generate tags from live TAXI service to get up-to-date data """ # Get ATT&CK information lift = attack_client() From 9b32e72d0bbd84f044644000400ca1501a393e4c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:19:12 +0200 Subject: [PATCH 125/254] fix: syntax issue --- rules/windows/malware/win_mal_darkside.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml index bd71ca991..26d609be4 100644 --- a/rules/windows/malware/win_mal_darkside.yml +++ b/rules/windows/malware/win_mal_darkside.yml @@ -19,7 +19,7 @@ detection: selection2: ParentCommandLine|contains: - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - Image|contians: + Image|contains: - '\AppData\Local\Temp\' condition: 1 of them falsepositives: From a788cd43eea81eac27546ae9a6fc60b5c0b50eb4 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 16 May 2021 14:10:33 +0200 Subject: [PATCH 126/254] Add Windows Defender on WL --- rules/windows/process_access/sysmon_cred_dump_lsass_access.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index ab1bd80de..dfaf68fcc 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2020/08/24 +modified: 2021/05/16 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -44,6 +44,7 @@ detection: - '\procexp64.exe' - '\procexp.exe' - '\lsm.exe' + - '\MsMpEng.exe' - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' From 53b21d1afe06eb637cc74b852e9b17cc9bbe43ed Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 16 May 2021 15:03:58 +0200 Subject: [PATCH 127/254] Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule --- rules/windows/other/win_tool_psexec.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 76f9deda4..3dee48d03 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2020/08/23 +modified: 2021/05/16 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,6 +22,8 @@ fields: - ParentCommandLine - ServiceName - ServiceFileName + - TargetFileName + - PipeName falsepositives: - unknown level: low @@ -45,3 +47,17 @@ detection: sysmon_processcreation: Image|endswith: '\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' +--- +logsource: + category: pipe_created + product: windows +detection: + sysmon_pipecreated: + PipeName: '\PSEXESVC' +--- +logsource: + category: file_event + product: windows +detection: + sysmon_filecreation: + TargetFileName|endswith: '\PSEXESVC.exe' From a93acbbe03020b0518608293031ba580be3a09f4 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 16 May 2021 15:23:31 +0200 Subject: [PATCH 128/254] Exclude dism.exe --- rules/windows/file_event/sysmon_creation_system_file.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 386636a0c..7406f4e73 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of a executable with a system process name in a suspicious folder author: Sander Wiebing date: 2020/05/26 -modified: 2020/08/23 +modified: 2021/05/16 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -48,6 +48,8 @@ detection: - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' + Image|endswith: + - '\Windows\System32\dism.exe' condition: selection and not filter fields: - Image From e46ae5a28c2041b0ca3c76e5d1c5971b32e4f004 Mon Sep 17 00:00:00 2001 From: SomeOne Date: Sun, 16 May 2021 16:03:33 +0200 Subject: [PATCH 129/254] Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule --- .../process_access/sysmon_in_memory_assembly_execution.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 615b10461..50b71bbea 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -7,7 +7,7 @@ description: Detects the access to processes by other suspicious processes which routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2020/08/24 +modified: 2021/05/16 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -44,7 +44,10 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: (selection1 or selection2) or (selection3 and granted_access) + filter: + SourceImage|endswith: + - '\Windows\System32\sdiagnhost.exe' + condition: (selection1 or selection2) or (selection3 and granted_access) and not filter fields: - ComputerName - User From 56e3a6aaf3c010f3cbc100ee0b4df9e4e49ecbe6 Mon Sep 17 00:00:00 2001 From: V1D1AN Date: Sun, 16 May 2021 22:53:25 +0200 Subject: [PATCH 130/254] Update ecs-zeek-elastic-beats-implementation.yml --- tools/config/ecs-zeek-elastic-beats-implementation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml index ac9b8a45c..c79b4e892 100644 --- a/tools/config/ecs-zeek-elastic-beats-implementation.yml +++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml @@ -3,6 +3,7 @@ order: 20 backends: - es-qs - es-dsl + - es-rule - elasticsearch-rule - kibana - kibana-ndjson @@ -1016,4 +1017,4 @@ fieldmappings: - host - server_name dest_ip: destination.ip - dest_port: destination.port \ No newline at end of file + dest_port: destination.port From e921181f4b392bae47b052d28f2c402c21843803 Mon Sep 17 00:00:00 2001 From: Darin Smith Date: Mon, 17 May 2021 13:00:01 -0700 Subject: [PATCH 131/254] Add AWS snapshot exfiltration rule --- .../aws_snapshot_backup_exfiltration.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/aws_snapshot_backup_exfiltration.yml diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws_snapshot_backup_exfiltration.yml new file mode 100644 index 000000000..e2f5b9e81 --- /dev/null +++ b/rules/cloud/aws_snapshot_backup_exfiltration.yml @@ -0,0 +1,24 @@ +title: AWS Snapshot Backup Exfiltration +id: abae8fec-57bd-4f87-aff6-6e3db989843d +status: test +description: Detects the modification of an EC2 snapshot's permissions to enable access from another account +author: Darin Smith +date: 2021/05/17 +references: + - https://www.justice.gov/file/1080281/download + - https://attack.mitre.org/techniques/T1537/ +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: cloudtrail.amazonaws.com + events: + - eventName: + - ModifySnapshotAttribute + condition: selection_source AND events +falsepositives: + - Valid change to a snapshot's permissions +level: medium +tags: + - attack.exfiltration + - attack.t1537 From 3b23c18f70d5d30d3ea2b338f175b8eb22626e63 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 17 May 2021 22:12:17 +0200 Subject: [PATCH 132/254] If not null use uuid instead of title for the rule id --- tools/sigma/backends/elasticsearch.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1c1d5e91c..248640066 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1346,7 +1346,11 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): tactics_list.append(tact) threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + rule_uuid = configs.get("id", "").lower() + if rule_uuid == "": + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + else: + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: From a36bc55b0697aca9f2d5105b9b0950c34ed7da5e Mon Sep 17 00:00:00 2001 From: Sven Scharmentke Date: Tue, 18 May 2021 12:07:09 +0200 Subject: [PATCH 133/254] Updated uberAgent backend to support version 6.1. --- tools/sigma/backends/uberagent.py | 149 ++++++++++++++++++++++++++---- 1 file changed, 132 insertions(+), 17 deletions(-) diff --git a/tools/sigma/backends/uberagent.py b/tools/sigma/backends/uberagent.py index 569675091..682e91161 100644 --- a/tools/sigma/backends/uberagent.py +++ b/tools/sigma/backends/uberagent.py @@ -34,7 +34,8 @@ def convert_sigma_name_to_uberagent_tag(name): def convert_sigma_category_to_uberagent_event_type(category): categories = { "process_creation": "Process.Start", - "image_load": "Image.Load" + "image_load": "Image.Load", + "dns": "Dns.Query" } if category in categories: @@ -48,6 +49,14 @@ def is_sigma_category_supported(category): return convert_sigma_category_to_uberagent_event_type(category) is not None +class IgnoreTypedModifierException(Exception): + """ + IgnoreTypedModifierException + Helper class to ignore exceptions of type identifiers that are not yet supported. + """ + pass + + class IgnoreFieldException(Exception): """ IgnoreFieldException @@ -56,6 +65,13 @@ class IgnoreFieldException(Exception): pass +class IgnoreAggregationException(Exception): + """ + IgnoreAggregationException + Helper class to ignore exceptions of aggregation rules that are not yet supported. + """ + + class MalformedRuleException(Exception): """ MalformedRuleException @@ -79,6 +95,46 @@ class ActivityMonitoringRule: self.description = "" self.sigma_level = "" + # Specifies the properties that are being evaluated and send to the backend + # if an Activity Monitoring rule is matched. + self.generic_properties = { + "Process.": [ + "Process.Hash.MD5", + "Process.Hash.SHA1", + "Process.Hash.SHA256", + "Process.Hash.IMP" + ], + "Image.": [ + "Image.Name", + "Image.Path", + "Image.Hash.MD5", + "Image.Hash.SHA1", + "Image.Hash.SHA256", + "Image.Hash.IMP" + ], + "Net.": [ + "Net.Target.Ip", + "Net.Target.Name", + "Net.Target.Port", + "Net.Target.Protocol" + ], + "Reg.": [ + "Reg.Key.Path", + "Reg.Key.Path.New", + "Reg.Key.Path.Old" + "Reg.Key.Name", + "Reg.Parent.Key.Path", + "Reg.Value.Name", + "Reg.File.Name", + "Reg.Key.Sddl", + "Reg.Key.Hive", + ], + "Dns.": [ + "Dns.QueryRequest", + "Dns.QueryResponse" + ] + } + def set_query(self, query): """Sets the generated query.""" self.query = query @@ -148,6 +204,18 @@ class ActivityMonitoringRule: result += "RiskScore = {}\n".format(self.risk_score) result += "Query = {}\n".format(self.query) + + counter = 1 + for event_type_prefix in self.generic_properties: + if self.event_type.startswith(event_type_prefix): + for prop in self.generic_properties[event_type_prefix]: + # Generic properties are limited to 10. + if counter > 10: + break + + result += "GenericProperty{} = {}\n".format(counter, prop) + counter += 1 + return result @@ -190,6 +258,7 @@ class uberAgentBackend(SingleTextQueryBackend): active = True config_required = False rule = None + current_category = None # # SingleTextQueryBackend @@ -201,8 +270,8 @@ class uberAgentBackend(SingleTextQueryBackend): listExpression = "[%s]" listSeparator = ", " valueExpression = "\"%s\"" - nullExpression = "is null" - notNullExpression = "is not null" + nullExpression = "%s == ''" + notNullExpression = "%s != ''" mapExpression = "%s == %s" mapListsSpecialHandling = True mapListValueExpression = "%s in %s" @@ -229,7 +298,31 @@ class uberAgentBackend(SingleTextQueryBackend): "command": "Process.CommandLine", "processname": "Process.Name", "user": "Process.User", - "username": "Process.User" + "username": "Process.User", + "company": "Process.Company" + } + + fieldMappingPerCategory = { + "process_creation": { + "sha1": "Process.Hash.SHA1", + "imphash": "Process.Hash.IMP", + "childimage": "Process.Path" + # Not yet supported. + # "signed": "Process.IsSigned" + }, + "image_load": { + "sha1": "Image.Hash.SHA1", + "imphash": "Image.Hash.IMP", + "childimage": "Image.Path" + # Not yet supported. + # "signed": "Image.IsSigned" + }, + "dns": { + "query": "Dns.QueryRequest", + # Not yet supported. + # "record_type": "Dns.QueryResponseType", + "answer": "Dns.QueryResponse" + } } # We ignore some fields that we don't support yet but we don't want them to @@ -240,19 +333,25 @@ class uberAgentBackend(SingleTextQueryBackend): "logonid", "integritylevel", "currentdirectory", - "company", "parentintegritylevel", - "sha1", "eventid", "parentuser", - "imphash" + "parent_domain", + "signed", + "parentofparentimage", + "record_type" ] rules = [] def fieldNameMapping(self, fieldname, value): - """Maps field names to uberAgent field names.""" key = fieldname.lower() + + if self.current_category is not None: + if self.current_category in self.fieldMappingPerCategory: + if key in self.fieldMappingPerCategory[self.current_category]: + return self.fieldMappingPerCategory[self.current_category][key] + if key not in self.fieldMapping: if key in self.ignoreFieldList: raise IgnoreFieldException() @@ -261,18 +360,26 @@ class uberAgentBackend(SingleTextQueryBackend): return self.fieldMapping[key] + def generateQuery(self, parsed): + if parsed.parsedAgg: + raise IgnoreAggregationException() + + return self.generateNode(parsed.parsedSearch) + def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" product, category, service, title, level, condition, description = get_parser_properties(sigmaparser) - if product not in ["windows"]: - return "" # Do not generate a rule if the given category is unsupported by now. if not is_sigma_category_supported(category): return "" - if category not in ["process_creation", "image_load"]: + + # We support windows rules and generic rules that don't have a specific product specifier - such as DNS. + if product not in ["windows", ""]: return "" + self.current_category = category + try: rule = ActivityMonitoringRule() @@ -287,6 +394,10 @@ class uberAgentBackend(SingleTextQueryBackend): rule.set_description(description) self.rules.append(rule) print("Generated rule <{}>.. [level: {}]".format(rule.name, level)) + except IgnoreTypedModifierException: + return "" + except IgnoreAggregationException: + return "" except IgnoreFieldException: return "" except MalformedRuleException: @@ -313,16 +424,17 @@ class uberAgentBackend(SingleTextQueryBackend): count_low = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-low.conf", "low") count_medium = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-medium.conf", "medium") print("Generated {} activity monitoring rules..".format(len(self.rules))) - print("This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, count_high, count_medium, count_low)) + print( + "This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, + count_high, + count_medium, + count_low)) def generateTypedValueNode(self, node): - raise NotImplementedError("Default implementation for identifier {} not available.".format(node.identifier)) + raise IgnoreTypedModifierException() def generateMapItemTypedNode(self, fieldname, value): - try: - return self.typedValueExpression[type(value)] % (fieldname, str(value)) - except KeyError: - raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + raise IgnoreTypedModifierException() def generateMapItemListNode(self, key, value): return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")" @@ -331,6 +443,9 @@ class uberAgentBackend(SingleTextQueryBackend): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) + if value is None: + return self.nullExpression % (transformed_fieldname,) + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) if "," in self.generateNode(value) and not has_wildcard: From 1cf7bb5735af721f87f6fe04a2623616e2e36edf Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 19 May 2021 10:27:20 -0300 Subject: [PATCH 134/254] Add Hex equivalent of WriteData --- rules/windows/builtin/win_GPO_scheduledtasks.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index cd9f525aa..669bcdaa5 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -20,7 +20,9 @@ detection: EventID: 5145 ShareName: \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' - Accesses|contains: 'WriteData' + Accesses|contains: + - 'WriteData' + - '%%4417' condition: selection falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks From 76523c5dbf0110c461a6007f1219a55ef3877596 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 May 2021 08:42:58 +0200 Subject: [PATCH 135/254] fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). rule_id is always an uuid now. For the rule-collection with only one uuid : - first detection get the uuid - other detection get a new uuid it is a palliative, because the secondary uuid are not kept between 2 launches. best practice is to use one uuid per detection and not files. --- tools/sigma/backends/elasticsearch.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 248640066..cfd8199f6 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -21,6 +21,7 @@ import sys import os from random import randrange from distutils.util import strtobool +from uuid import uuid4 import sigma import yaml @@ -1221,6 +1222,7 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): """Elasticsearch detection rule backend""" identifier = "es-rule" active = True + uuid_black_list = [] def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -1348,9 +1350,11 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule_name = configs.get("title", "").lower() rule_uuid = configs.get("id", "").lower() if rule_uuid == "": - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) - else: - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) + rule_uuid = str(uuid4()) + if rule_uuid in self.uuid_black_list: + rule_uuid = str(uuid4()) + self.uuid_black_list.append(rule_uuid) + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: From ebac8a098f7f5e5c1c6378e3bdb83d05b0ae6e71 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 May 2021 10:05:12 +0200 Subject: [PATCH 136/254] rule refactoring: Cobalt Strike service start --- ..._or_cobaltstrike_getsystem_service_installation.yml | 10 ++++++++-- ...rpreter_or_cobaltstrike_getsystem_service_start.yml | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 385e0b66c..7e1183737 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -2,9 +2,9 @@ action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/08/23 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -27,6 +27,12 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - ServiceFileName|contains|all: - 'rundll32' diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 633e060ec..cb775d882 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -1,9 +1,9 @@ title: Meterpreter or Cobalt Strike Getsystem Service Start id: 15619216-e993-4721-b590-4c520615a67d description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/09/01 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -31,6 +31,12 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - CommandLine|contains|all: - 'rundll32' From f0974e9cf3927d419812904d8ee34a1fce6d8cba Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 May 2021 11:20:38 +0200 Subject: [PATCH 137/254] Fix : **false_positives** must be a array. If null add "Unknown". If it is a string convert to a simple array row --- tools/sigma/backends/elasticsearch.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index cfd8199f6..91696f950 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1359,10 +1359,16 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): references = configs.get("reference") if references is None: references = configs.get("references") + falsepositives = [] + yml_falsepositives = configs.get('falsepositives',["Unknown"]) + if isinstance(yml_falsepositives,str): + falsepositives.append(yml_falsepositives) + else: + falsepositives=yml_falsepositives rule = { "description": configs.get("description", ""), "enabled": True, - "false_positives": configs.get('falsepositives', "Unknown"), + "false_positives": falsepositives, "filters": [], "from": "now-360s", "immutable": False, From cbb81cdf86e9e1e5a2abb25d81f1a3970498bcb0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 May 2021 12:32:19 +0200 Subject: [PATCH 138/254] Fix import to kibana error 400 rish_score is null. rish_score is a integer. If level is invalid set to medium --- tools/sigma/backends/elasticsearch.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 91696f950..db56a80c3 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1306,6 +1306,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): return technique def map_risk_score(self, level): + if level not in ["low","medium","high","critical"]: + level = "medium" if level == "low": return 5 elif level == "medium": From b92b765f9a413bacc4f19852821584f082dd7dc7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 20 May 2021 13:14:43 +0200 Subject: [PATCH 139/254] Fix import to kibana error 400 severity is invalid. --- tools/sigma/backends/elasticsearch.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index db56a80c3..e0bcd369c 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1317,6 +1317,16 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): elif level == "critical": return 95 + def map_severity(self, severity): + severity = severity.lower() + if severity in ["low","medium","high","critical"]: + return severity + elif severity == "informational": + return "low" + else: + return "medium" + + def create_rule(self, configs, index): tags = configs.get("tags", []) tactics_list = list() @@ -1386,7 +1396,7 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): "meta": { "from": "1m" }, - "severity": configs.get("level", "medium"), + "severity": self.map_severity(configs.get("level", "medium")), "tags": new_tags, "to": "now", "type": self.rule_type, From 226a666827fec3cbddbe8682859c4dc680426f38 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 16:05:13 +0200 Subject: [PATCH 140/254] rule: add rule to detect shell spawn from WinRM host process --- .../win_susp_shell_spawn_from_winrm.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml new file mode 100644 index 000000000..57c00dc75 --- /dev/null +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -0,0 +1,29 @@ +title: Suspicious Shells Spawn by WinRM +id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 +description: Detects suspicious shell spawn from WinRM host process +status: experimental +author: Andreas Hunkeler (@Karneades), Markus Neis +date: 2021/05/20 +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\wsmprovhost.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection + +level: critical From 3763e54b99b05f23ed288c6fbd14f8405a7762e8 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:00:25 +0200 Subject: [PATCH 141/254] Add keyword WinRM to remote powershell process rule --- .../win_remote_powershell_session_process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 7490d9b6d..a570bfdd6 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,6 +1,6 @@ -title: Remote PowerShell Session +title: Remote PowerShell Session (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 modified: 2019/11/10 From b46f65965dacdb624241aa78e8d1698966e200d6 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:02:17 +0200 Subject: [PATCH 142/254] Add keyword WinRM to remote powershell network rule --- rules/windows/builtin/win_remote_powershell_session.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 9723914b0..22ee80787 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,6 +1,6 @@ -title: Remote PowerShell Sessions +title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g From 93241e7fc6a1b86d40404d316a2bf517b6846711 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:03:32 +0200 Subject: [PATCH 143/254] Add keyword WinRM to remote powershell process rule --- .../process_creation/win_remote_powershell_session_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index a570bfdd6..f90566045 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,4 +1,4 @@ -title: Remote PowerShell Session (WinRM) +title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental From d8ec5fa6afd9b04ec0a9d6db5bec6fd0f796f5c6 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 21 May 2021 09:28:45 +0200 Subject: [PATCH 144/254] Add modified field in WinRM rule --- rules/windows/builtin/win_remote_powershell_session.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 22ee80787..a8388f876 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -3,6 +3,7 @@ id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md From e58c59dcfdd4e0fd5224c0be1fe90bf7fc643981 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 21 May 2021 09:29:11 +0200 Subject: [PATCH 145/254] Update modified field in WinRM rule --- .../process_creation/win_remote_powershell_session_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index f90566045..f5bb57daa 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -3,7 +3,7 @@ id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md From dfe7e4e38c4f86bb9122729fcdcce376b9af0a1d Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 11:12:04 +0200 Subject: [PATCH 146/254] Fix falsepositives list --- .../windows/registry_event/sysmon_wab_dllpath_reg_change.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 63a654317..351020fc0 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 +modified: 2021/05/21 author: oscd.community, Natalia Shornikova logsource: category: registry_event @@ -20,5 +21,6 @@ detection: filter: Details: '%CommonProgramFiles%\System\wab32.dll' condition: selection and not filter -falsepositives: Unknown +falsepositives: + - Unknown level: high From 45190c3874498fb772a4fb099c9e9c60328686f7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 11:13:27 +0200 Subject: [PATCH 147/254] Fix falsepositives list --- ...mon_accessing_winapi_in_powershell_credentials_dumping.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 96e861348..c4eb90952 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -4,6 +4,7 @@ description: Detects Accessing to lsass.exe by Powershell status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tag: @@ -20,5 +21,6 @@ detection: SourceImage|endswith: '\powershell.exe' TargetImage|endswith: '\lsass.exe' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high From cabaccceb8c3d06ca58063dc996d3c468f221961 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 11:15:10 +0200 Subject: [PATCH 148/254] Fix falsepositives list --- rules/windows/registry_event/sysmon_powershell_as_service.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a26556cb7..a297c6680 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,6 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -20,5 +21,6 @@ detection: - 'powershell' - 'pwsh' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high From 6878bfade9cb972a312280987a68eebfb8a620c9 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 11:17:36 +0200 Subject: [PATCH 149/254] Fix falsepositives list --- rules/windows/process_creation/win_manage-bde_lolbas.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml index 06216b629..384015178 100644 --- a/rules/windows/process_creation/win_manage-bde_lolbas.yml +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.t1216 date: 2020/10/13 +modified: 2021/05/21 author: oscd.community, Natalia Shornikova logsource: category: process_creation @@ -21,5 +22,6 @@ detection: - 'cscript' - 'manage-bde.wsf' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: medium From f3126638209464b5549c76ae9edec71ed4c76024 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 11:29:17 +0200 Subject: [PATCH 150/254] Fix falsepositives list --- .../process_creation/win_CL_Mutexverifiers_LOLScript.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml index 984557a01..4fd2f44c7 100644 --- a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -20,5 +21,6 @@ detection: - 'runAfterCancelProcess' # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high From f4be70aa9e2cf26381552f43ea56a7c75d135f7b Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:19:17 +0200 Subject: [PATCH 151/254] Fix falsepositives list --- .../windows/process_creation/win_CL_Invocation_LOLScript.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml index d7136f783..04a8b5dd2 100644 --- a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml +++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -20,5 +21,6 @@ detection: - 'SyncInvoke' # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high From a9e85ca58eb97d15f157e3bc3d4b7553519a6125 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:22:36 +0200 Subject: [PATCH 152/254] Fix falsepositives list --- .../process_creation/sysmon_long_powershell_commandline.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index 2feca4fc3..52ffcbc05 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -9,6 +9,7 @@ tags: status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 logsource: category: process_creation product: windows @@ -22,5 +23,6 @@ detection: Length_selection: CommandLine|re: '.{1000,}' condition: all of them -falsepositives: Unknown +falsepositives: + - Unknown level: medium From 6630ec7c4179c7a4e8a8ce8958b0453849140727 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:23:09 +0200 Subject: [PATCH 153/254] Fix falsepositives list --- rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml index 053ce0b56..6a3c2d1f1 100755 --- a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml +++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -20,4 +20,5 @@ detection: CallTrace|contains: 'comsvcs.dll' condition: selection falsepositives: + - Unknown level: critical From 48a7e801923f55af7398db3a2673f5bf5a76ce93 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:24:25 +0200 Subject: [PATCH 154/254] Fix falsepositives list --- .../powershell/powershell_wsman_com_provider_no_powershell.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml index af7203148..b65954289 100644 --- a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -3,6 +3,7 @@ id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. status: experimental date: 2020/06/24 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -23,4 +24,5 @@ detection: Message|contains: 'HostApplication=*powershell' condition: selection and not filter falsepositives: + - Unknown level: medium From 2197514fc5156ccf3afe4e92847552aaec76d052 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:26:37 +0200 Subject: [PATCH 155/254] Fix falsepositives list --- .../powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index f7c4075fa..c4b47e1b8 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -22,5 +23,6 @@ detection: condition: selection2 | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: Unknown +falsepositives: + - Unknown level: high From ad376a8328e9111443f3876e984a1dd3e0162641 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:28:12 +0200 Subject: [PATCH 156/254] Fix falsepositives list --- .../powershell/powershell_CL_Mutexverifiers_LOLScript.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index 46cbd45be..341b51f79 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -20,5 +21,6 @@ detection: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high \ No newline at end of file From a6cadc6de5f3dc30a7dc4d34f3e00b55002caf4c Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:29:28 +0200 Subject: [PATCH 157/254] Fix falsepositives list --- .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index f22022cf9..c8b63179e 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -22,5 +23,6 @@ detection: condition: selection2 | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe -falsepositives: Unknown +falsepositives: + - Unknown level: high From 1d1170e8ba426becbc14faadb5cfcd99e70fdb8f Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:31:01 +0200 Subject: [PATCH 158/254] Fix falsepositives list --- .../windows/powershell/powershell_CL_Invocation_LOLScript.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 9c4f4342f..4189204e1 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 +modified: 2021/05/21 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -20,5 +21,6 @@ detection: - 'CL_Invocation.ps1' - 'SyncInvoke' condition: selection -falsepositives: Unknown +falsepositives: + - Unknown level: high From 168d5c9dff5b24b6c912b1fedda36e4e36ad442b Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:32:24 +0200 Subject: [PATCH 159/254] Fix falsepositives list --- rules/windows/image_load/sysmon_pcre_net_load.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/image_load/sysmon_pcre_net_load.yml b/rules/windows/image_load/sysmon_pcre_net_load.yml index b66033bed..383a83b9d 100644 --- a/rules/windows/image_load/sysmon_pcre_net_load.yml +++ b/rules/windows/image_load/sysmon_pcre_net_load.yml @@ -3,6 +3,7 @@ id: 84b0a8f3-680b-4096-a45b-e9a89221727c description: Detects processes loading modules related to PCRE.NET package status: experimental date: 2020/10/29 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -18,4 +19,5 @@ detection: - ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: + - Unknown level: high \ No newline at end of file From 0a588a1eccf0dc9ed46f169dde44884674064ebe Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:33:50 +0200 Subject: [PATCH 160/254] Fix falsepositives list --- rules/windows/file_event/sysmon_pcre_net_temp_file.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml index 551fff252..f45d3e393 100644 --- a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml +++ b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml @@ -3,6 +3,7 @@ id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da description: Detects processes creating temp files related to PCRE.NET package status: experimental date: 2020/10/29 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -18,4 +19,5 @@ detection: - TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: + - Unknown level: high \ No newline at end of file From 1e2f7c7abf59caa979fb17b2ec04da2cfaea7f29 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:35:37 +0200 Subject: [PATCH 161/254] Fix falsepositives list --- .../builtin/win_powershell_script_installed_as_service.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 1f5a7e419..01652c7c6 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -5,6 +5,7 @@ description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/21 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -16,7 +17,8 @@ detection: - 'powershell' - 'pwsh' condition: service_creation and powershell_as_service -falsepositives: Unknown +falsepositives: + - Unknown level: high --- logsource: From dec9e6887696e8c38ce0d1fcf7bed768f25bbdb3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 12:38:44 +0200 Subject: [PATCH 162/254] Fix falsepositives list --- rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml index 6a3c2d1f1..578d232f6 100755 --- a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml +++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -3,6 +3,7 @@ id: a49fa4d5-11db-418c-8473-1e014a8dd462 description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. status: experimental date: 2020/10/20 +modified: 2021/05/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -20,5 +21,5 @@ detection: CallTrace|contains: 'comsvcs.dll' condition: selection falsepositives: - - Unknown + - Unknown level: critical From 8a8f003d15575acc2a5c30d8aaac4658c5ed71b2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 21 May 2021 19:31:06 +0200 Subject: [PATCH 163/254] add lastday filter to get only the rule update or create in the last N days lastday=0 is all :) --- tools/sigma/filter.py | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 5ec72b621..420fddf13 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -15,6 +15,7 @@ # along with this program. If not, see . # Rule Filtering +import datetime class SigmaRuleFilter: """Filter for Sigma rules with conditions""" LEVELS = { @@ -31,6 +32,7 @@ class SigmaRuleFilter: self.status = None self.logsources = list() self.tags = list() + self.lastday = None for cond in [c.replace(" ", "") for c in expr.split(",")]: if cond.startswith("level<="): @@ -60,6 +62,12 @@ class SigmaRuleFilter: self.logsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("lastday="): + nbday = cond[cond.index("=") + 1:] + try: + self.lastday = int(nbday) + except ValueError as e: + raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e else: raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond) @@ -111,7 +119,27 @@ class SigmaRuleFilter: for tag in self.tags: if tag not in tags: return False - + + # date in the last N days + if self.lastday: + try: + date_str = yamldoc['date'] + except KeyError: # missing date + return False # User wants date time restriction, but it's not possible here + + try: + modified_str = yamldoc['modified'] + except KeyError: # no update + modified_str = None + if modified_str: + date_str = modified_str + + date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d') + today_objet = datetime.datetime.now() + delta = today_objet - date_object + if delta.days > self.lastday: + return False + # all tests passed return True From e23147111b22a7f8c03725c584d47d7585c6d924 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:54:57 -0300 Subject: [PATCH 164/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_ad_object_writedac_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml index 60a4c5974..b3ebbc942 100644 --- a/rules/windows/builtin/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html tags: - attack.defense_evasion - attack.t1222 # an old one From 9765fcbd0c923c7a3de56d3bd8f58708952e585d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:55:29 -0300 Subject: [PATCH 165/254] Update Threat Hunter Playbook Reference --- .../windows/builtin/win_ad_replication_non_machine_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index fcdb3ee67..2fe27687b 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -6,7 +6,7 @@ date: 2019/07/26 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html tags: - attack.credential_access - attack.t1003 # an old one From 943e2c8c88933b2ec0cbe9f36a07109907065f7d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:56:03 -0300 Subject: [PATCH 166/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index b9d52b7e5..f913f7531 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/06/20 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one From 3fb5f1c47e4c3649d7452ec6e381022ee23bdf59 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:56:32 -0300 Subject: [PATCH 167/254] Update Threat Hunter Playbook Reference --- .../builtin/win_dpapi_domain_masterkey_backup_attempt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index a5a89c445..c65a24252 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one From 085218b25acd23581fcb127dd4cb05b1ef0cf416 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:57:01 -0300 Subject: [PATCH 168/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_lsass_access_non_system_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml index 41426031c..548473bb9 100644 --- a/rules/windows/builtin/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -6,7 +6,7 @@ date: 2019/06/20 modified: 2021/03/17 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - attack.t1003 # an old one From 2e139b4264ae9c578808a5e6c2bd09b4f33eeeab Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:57:25 -0300 Subject: [PATCH 169/254] Update win_protected_storage_service_access.yml --- .../windows/builtin/win_protected_storage_service_access.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml index 263de756b..cd0a8900a 100644 --- a/rules/windows/builtin/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.lateral_movement - attack.t1021 # an old one @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical From 7007287832f57d3fc19b7a0ed792e9b92fe1b646 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:58:23 -0300 Subject: [PATCH 170/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_remote_powershell_session.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index a8388f876..3de3b459a 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one From d3afed53ac87936fe32a1ee3b32a37994cb7eab1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:59:04 -0300 Subject: [PATCH 171/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_sam_registry_hive_handle_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml index f5d90abbb..da2eac46f 100644 --- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -6,7 +6,7 @@ date: 2019/08/12 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html tags: - attack.discovery - attack.t1012 From 93087d21300e390916a50099c4d490a7bbe440dd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:59:35 -0300 Subject: [PATCH 172/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_scm_database_handle_failure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 7efc27dbb..bf753fdca 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html tags: - attack.discovery logsource: From 1b32a5c0f3f6fa28a6d54416ec04f244e1e8e214 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 00:59:54 -0300 Subject: [PATCH 173/254] Update Threat Hunter Playbook Reference --- rules/windows/builtin/win_scm_database_privileged_operation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index e5e6a0206..9501875ab 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/15 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html logsource: product: windows service: security From e218c32a4cc7c3ee9f5560a26f07fb844479e044 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:00:39 -0300 Subject: [PATCH 174/254] Update Threat Hunter Playbook Reference --- .../sysmon_createremotethread_loadlibrary.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index d2a497b27..30b3da1b2 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -6,7 +6,7 @@ date: 2019/08/11 modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html tags: - attack.defense_evasion - attack.t1055 # an old one From 3853d71c56b4dc66fbf4e036b14242d7c76b83f6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:01:07 -0300 Subject: [PATCH 175/254] Update Threat Hunter Playbook Reference --- .../image_load/sysmon_powershell_execution_moduleload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index bb3cbec63..111759c39 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one From 627a83914a3a3fa764ec6237279cf9c640857ca8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:01:33 -0300 Subject: [PATCH 176/254] Update Threat Hunter Playbook Reference --- rules/windows/image_load/sysmon_wmi_module_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 6b46e7b0f..e93309383 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html tags: - attack.execution - attack.t1047 From 5f6c19f203d7d0910d7ef9ed160302cbcc191d7a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:02:19 -0300 Subject: [PATCH 177/254] Update Threat Hunter Playbook Reference --- .../sysmon_remote_powershell_session_network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index de8934dcb..f25bc0b42 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 From c7f7eb669815bb3ef2834d00b437212f6458c91f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:02:43 -0300 Subject: [PATCH 178/254] Update Threat Hunter Playbook Reference --- .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index a2f7e2bb6..742aaae95 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1086 # an old one From 4ebdcf2f1df11062c5f5f028e15cbfe9d6d96378 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:03:23 -0300 Subject: [PATCH 179/254] Update Threat Hunter Playbook Reference --- .../powershell/powershell_alternate_powershell_hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 11cb82fbf..acf3ed8b7 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/11 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1059.001 From 26ecbea0bad4301d266343bc734d206772977740 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:03:49 -0300 Subject: [PATCH 180/254] Update Threat Hunter Playbook Reference --- .../windows/powershell/powershell_remote_powershell_session.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 710a4a931..80f74507d 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 From 89cfef9d4911d9d59d98cc8d78f79fd1c25dfaef Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:04:20 -0300 Subject: [PATCH 181/254] Update Threat Hunter Playbook Reference --- .../windows/process_creation/win_non_interactive_powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index a853048fe..80be22f95 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2021/05/10 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one From 34e2a813713adec2810cf9aec0fc0783da7499eb Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:04:53 -0300 Subject: [PATCH 182/254] Update Threat Hunter Playbook Reference --- .../process_creation/win_remote_powershell_session_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index f5bb57daa..00a033cb0 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one From 7f335cbb4a96286284c249cfa0df4b2076ddbfd5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:08:23 -0300 Subject: [PATCH 183/254] Update Threat Hunter Playbook Reference --- .../windows/process_creation/win_wmiprvse_spawning_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index 042df7de0..d5a59f6e0 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -6,7 +6,7 @@ date: 2019/08/15 modified: 2021/02/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html tags: - attack.execution - attack.t1047 From 687f2d67fc430730bd75f61f8708f7289f269255 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 22 May 2021 01:09:30 -0300 Subject: [PATCH 184/254] Update Threat Hunter Playbook Reference --- .../windows/registry_event/sysmon_rdp_registry_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 3fe7d6cda..3df09fb62 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html tags: - attack.defense_evasion - attack.t1112 From 8aa3ea15d77e4d1bf1edd99608412ce300edb7ba Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 22 May 2021 08:44:30 +0200 Subject: [PATCH 185/254] change to the more revealing name "inlastday" --- tools/sigma/filter.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 420fddf13..9b7e19a30 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -32,7 +32,7 @@ class SigmaRuleFilter: self.status = None self.logsources = list() self.tags = list() - self.lastday = None + self.inlastday = None for cond in [c.replace(" ", "") for c in expr.split(",")]: if cond.startswith("level<="): @@ -62,10 +62,10 @@ class SigmaRuleFilter: self.logsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) - elif cond.startswith("lastday="): + elif cond.startswith("inlastday="): nbday = cond[cond.index("=") + 1:] try: - self.lastday = int(nbday) + self.inlastday = int(nbday) except ValueError as e: raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e else: @@ -121,7 +121,7 @@ class SigmaRuleFilter: return False # date in the last N days - if self.lastday: + if self.inlastday: try: date_str = yamldoc['date'] except KeyError: # missing date @@ -137,7 +137,7 @@ class SigmaRuleFilter: date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d') today_objet = datetime.datetime.now() delta = today_objet - date_object - if delta.days > self.lastday: + if delta.days > self.inlastday: return False # all tests passed From f213226eb4c8c1ac7112260c082efc6416013bf0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 22 May 2021 08:57:42 +0200 Subject: [PATCH 186/254] Add the 'tag!=' filter --- tools/sigma/filter.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 9b7e19a30..2de995ed2 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -32,6 +32,7 @@ class SigmaRuleFilter: self.status = None self.logsources = list() self.tags = list() + self.nottags = list() self.inlastday = None for cond in [c.replace(" ", "") for c in expr.split(",")]: @@ -62,6 +63,8 @@ class SigmaRuleFilter: self.logsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("tag!="): + self.nottags.append(cond[cond.index("=") + 1:].lower()) elif cond.startswith("inlastday="): nbday = cond[cond.index("=") + 1:] try: @@ -119,6 +122,16 @@ class SigmaRuleFilter: for tag in self.tags: if tag not in tags: return False + # Not Tags + if self.nottags: + try: + nottags = [ tag.lower() for tag in yamldoc['tags']] + except (KeyError, AttributeError): # no tags set + return False + + for tag in self.nottags: + if tag in nottags: + return False # date in the last N days if self.inlastday: From 0e688d8dd01cc0e684f3f3862afd1b4c21ba330f Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 22 May 2021 09:04:30 +0200 Subject: [PATCH 187/254] Add the 'logsource!=' filter --- tools/sigma/filter.py | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 2de995ed2..ca40dbc2e 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -27,13 +27,14 @@ class SigmaRuleFilter: STATES = ["experimental", "testing", "stable"] def __init__(self, expr): - self.minlevel = None - self.maxlevel = None - self.status = None - self.logsources = list() - self.tags = list() - self.nottags = list() - self.inlastday = None + self.minlevel = None + self.maxlevel = None + self.status = None + self.logsources = list() + self.notlogsources = list() + self.tags = list() + self.nottags = list() + self.inlastday = None for cond in [c.replace(" ", "") for c in expr.split(",")]: if cond.startswith("level<="): @@ -61,6 +62,8 @@ class SigmaRuleFilter: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) elif cond.startswith("logsource="): self.logsources.append(cond[cond.index("=") + 1:]) + elif cond.startswith("logsource!="): + self.notlogsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) elif cond.startswith("tag!="): @@ -112,6 +115,17 @@ class SigmaRuleFilter: if logsrc not in logsources: return False + # NOT Log Sources + if self.notlogsources: + try: + notlogsources = { value for key, value in yamldoc['logsource'].items() } + except (KeyError, AttributeError): # no log source set + return False # User wants status restriction, but it's not possible here + + for logsrc in self.notlogsources: + if logsrc in notlogsources: + return False + # Tags if self.tags: try: @@ -122,7 +136,7 @@ class SigmaRuleFilter: for tag in self.tags: if tag not in tags: return False - # Not Tags + # NOT Tags if self.nottags: try: nottags = [ tag.lower() for tag in yamldoc['tags']] From c0d58cb7f92e07c475ac47aa6924d4f127c922c1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 22 May 2021 10:52:01 +0200 Subject: [PATCH 188/254] PAExec and PSexec rules --- .../win_susp_psexex_paexec_flags.yml | 33 +++++++++++++++++++ .../win_susp_renamed_paexec.yml | 25 ++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_psexex_paexec_flags.yml create mode 100644 rules/windows/process_creation/win_susp_renamed_paexec.yml diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml new file mode 100644 index 000000000..b67c29505 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml @@ -0,0 +1,33 @@ +title: PsExec/PAExec Flags +id: 207b0396-3689-42d9-8399-4222658efc99 +status: experimental +description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://www.poweradmin.com/paexec/ + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection_flags_1: # Escalation to LOCAL_SYSTEM + CommandLine|contains|all: + - '\\127.0.0.1' + - ' -s ' + - 'cmd.exe' + selection_flags_2|contains|all: # Accepting EULA in commandline - often used in automated attacks + - ' /accepteula ' + - 'cmd /c ' + - ' -u ' + - ' -p ' + filter: + CommandLine|contains: + - 'paexec' + - 'PsExec' + condition: ( selection_flags_1 or selection_flags_2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing +level: high diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml new file mode 100644 index 000000000..cc1d5f209 --- /dev/null +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -0,0 +1,25 @@ +title: Renamed PAExec +id: c4e49831-1496-40cf-8ce1-b53f942b02f9 +status: experimental +description: Detects suspicious renamed PAExec execution as often used by attackers +references: + - https://www.poweradmin.com/paexec/ +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection1: + Description: 'PAExec Application' + selection2: + OriginalFilename: 'PAExec.exe' + filter: + Image|endswith: + - '\PAexec.exe' + - '\paexec.exe' + condition: ( selection1 or selection2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing +level: high From 9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 22 May 2021 15:28:50 +0200 Subject: [PATCH 189/254] Update win_susp_shell_spawn_from_winrm.yml --- .../process_access/win_susp_shell_spawn_from_winrm.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml index 57c00dc75..44e421b35 100644 --- a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -4,6 +4,7 @@ description: Detects suspicious shell spawn from WinRM host process status: experimental author: Andreas Hunkeler (@Karneades), Markus Neis date: 2021/05/20 +modified: 2021/05/22 tags: - attack.t1190 - attack.initial_access @@ -25,5 +26,6 @@ detection: - '*\whoami.exe' - '*\bitsadmin.exe' condition: selection - -level: critical +falsepositives: + - Legitimate WinRM usage +level: high From 4c281d117c66f03a162180c51a63f810589ebaad Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 22 May 2021 15:31:23 +0200 Subject: [PATCH 190/254] fix: bug in rule syntax --- .../win_susp_psexex_paexec_flags.yml | 3 +- .../win_susp_register_cimprovider.yml | 28 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 rules/windows/process_creation/win_susp_register_cimprovider.yml diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml index b67c29505..404f2d7a3 100644 --- a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml +++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml @@ -17,7 +17,8 @@ detection: - '\\127.0.0.1' - ' -s ' - 'cmd.exe' - selection_flags_2|contains|all: # Accepting EULA in commandline - often used in automated attacks + selection_flags_2: + CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks - ' /accepteula ' - 'cmd /c ' - ' -u ' diff --git a/rules/windows/process_creation/win_susp_register_cimprovider.yml b/rules/windows/process_creation/win_susp_register_cimprovider.yml new file mode 100644 index 000000000..5244e22ff --- /dev/null +++ b/rules/windows/process_creation/win_susp_register_cimprovider.yml @@ -0,0 +1,28 @@ +title: DLL Execution Via Register-cimprovider.exe +id: a2910908-e86f-4687-aeba-76a5f996e652 +status: experimental +description: Detects using register-cimprovider.exe to execute arbitrary dll file. +references: + - https://twitter.com/PhilipTsukerman/status/992021361106268161 + - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md +tags: + - attack.defense_evasion + - attack.t1574 +author: Ivan Dyachkov, Yulia Fomina, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image|endswith: '\register-cimprovider.exe' + CommandLine|contains|all: + - '-path' + - 'dll' + condition: selection +fields: + - CommandLine +falsepositives: + - Unknown +level: medium From 576e047e76c86ea2777e941640c0dc2fe88c892f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 22 May 2021 15:43:41 +0200 Subject: [PATCH 191/254] Delete win_susp_Register_cimprovider.yml --- .../win_susp_Register_cimprovider.yml | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_Register_cimprovider.yml diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml deleted file mode 100644 index 5244e22ff..000000000 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: DLL Execution Via Register-cimprovider.exe -id: a2910908-e86f-4687-aeba-76a5f996e652 -status: experimental -description: Detects using register-cimprovider.exe to execute arbitrary dll file. -references: - - https://twitter.com/PhilipTsukerman/status/992021361106268161 - - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md -tags: - - attack.defense_evasion - - attack.t1574 -author: Ivan Dyachkov, Yulia Fomina, oscd.community -date: 2020/10/07 -logsource: - category: process_creation - product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' -detection: - selection: - Image|endswith: '\register-cimprovider.exe' - CommandLine|contains|all: - - '-path' - - 'dll' - condition: selection -fields: - - CommandLine -falsepositives: - - Unknown -level: medium From 02323043d71c5afa60383da238e437c0c64fbe20 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 22 May 2021 15:45:38 +0200 Subject: [PATCH 192/254] Create web_cve_2021_26814_wzuh_rce.yml --- rules/web/web_cve_2021_26814_wzuh_rce.yml | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/web/web_cve_2021_26814_wzuh_rce.yml diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml new file mode 100644 index 000000000..672226f45 --- /dev/null +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -0,0 +1,25 @@ +title: Exploitation of CVE-2021-26814 in Wazuh +id: b9888738-29ed-4c54-96a4-f38c57b84bb3 +status: experimental +description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 +author: Florian Roth +date: 2021/05/22 +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 + - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/manager/files?path=etc/lists/../../../../..' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - None +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-21978 \ No newline at end of file From a1bddf51e72facada22d7349c2c3db3d2e9af5f4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 May 2021 10:31:28 +0200 Subject: [PATCH 193/254] fix typo of falsepositives --- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index ec83f8866..85306e0ae 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -2,6 +2,7 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' date: 2021/05/04 +modified: 2021/05/24 references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' @@ -43,7 +44,7 @@ detection: - '138' - '139' condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) -falsepositive: +falsepositives: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' level: medium From 1fcd0bf95105228da9a1fe42beb67d6c51aadad0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 May 2021 10:34:56 +0200 Subject: [PATCH 194/254] fix typo of fields --- rules/windows/process_creation/win_regini.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 51ab7d7f9..3f1a340c1 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 +modified: 2021/05/24 logsource: category: process_creation product: windows @@ -20,7 +21,7 @@ detection: filter: CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule condition: selection and not filter -fieds: +fields: - ParentImage - CommandLine falsepositives: From afb3d63900e592a893e1fb8451649e5f1bb3b47e Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 May 2021 10:37:14 +0200 Subject: [PATCH 195/254] fix typo of fields --- rules/windows/process_creation/win_regini_ads.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index f6a238593..9844421cd 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/12 +modified: 2021/05/24 logsource: category: process_creation product: windows @@ -19,7 +20,7 @@ detection: Image|endswith: '\regini.exe' CommandLine|re: ':[^ \\]' condition: selection -fieds: +fields: - ParentImage - CommandLine falsepositives: From 104a004b3dacd4a33c349d6b582b0e60cb77373f Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 May 2021 10:41:17 +0200 Subject: [PATCH 196/254] fix typo of tags --- ...smon_accessing_winapi_in_powershell_credentials_dumping.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 96e861348..2d54d2b72 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -4,9 +4,10 @@ description: Detects Accessing to lsass.exe by Powershell status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 +modified: 2021/05/24 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tag: +tags: - attack.credential_access - attack.t1003.001 logsource: From 3717c68bb7b4a1be1e3b43fc897481856bf1a008 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 24 May 2021 10:45:58 +0200 Subject: [PATCH 197/254] fix typo of level --- rules/windows/registry_event/sysmon_susp_atbroker_change.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 9f36c3763..55850ba37 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -6,6 +6,7 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml date: 2020/10/13 +modified: 2021/05/24 tags: - attack.defense_evasion - attack.t1218 @@ -22,4 +23,4 @@ detection: condition: creation or persistance falsepositives: - Creation of non-default, legitimate AT. -level: High +level: high From 38552e98cf850ee52ff77a03033ba30c81413fc7 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 25 May 2021 15:47:34 +0200 Subject: [PATCH 198/254] Adding some pipes --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 958bb676a..32d6de754 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -17,13 +17,15 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17)' detection: - selection_start: + selection_MSSE_start: PipeName|startswith: '\MSSE-' - selection_end: + selection_MSSE_end: PipeName|endswith: '-server' - selection_others: + selection_postex: + PipeName|startswith: '\postex_' + selection_msagent: PipeName|startswith: '\msagent_' - condition: selection_start and selection_end + condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_msagent falsepositives: - Unknown level: critical From cc9ac2ddcf18ca94bf90d96fc0400cc15fad0995 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 25 May 2021 21:04:32 +0545 Subject: [PATCH 199/254] Added rule for PowerView's malicious cmdlets --- ...rshell_powerview_malicious_commandlets.yml | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 rules/windows/powershell/powershell_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml new file mode 100644 index 000000000..b2a3162fe --- /dev/null +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -0,0 +1,98 @@ +title: Malicious PowerView PowerShell Commandlets +id: dcd74b95-3f36-4ed9-9598-0490951643aa +status: experimental +description: Detects Commandlet names from PowerView of PowerSploit exploitation framework +date: 2021/05/18 +references: + - https://powersploit.readthedocs.io/en/stable/Recon/README + - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon + - https://thedfirreport.com/2020/10/08/ryuks-return +tags: + - attack.execution + - attack.t1059.001 +author: Bhabesh Raj +logsource: + product: windows + service: powershell + definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 +detection: + selection: + EventID: 4104 + ScriptBlockText: + - Export-PowerViewCSV + - Resolve-IPAddress + - ConvertTo-SID + - Convert-ADName + - ConvertFrom-UACValue + - Add-RemoteConnection + - Remove-RemoteConnection + - Invoke-UserImpersonation + - Invoke-RevertToSelf + - Get-DomainSPNTicket + - Invoke-Kerberoast + - Get-PathAcl + - Get-DomainDNSZone + - Get-DomainDNSRecord + - Get-Domain + - Get-DomainController + - Get-Forest + - Get-ForestDomain + - Get-ForestGlobalCatalog + - Find-DomainObjectPropertyOutlier- + - Get-DomainUser + - New-DomainUser + - Set-DomainUserPassword + - Get-DomainUserEvent + - Get-DomainComputer + - Get-DomainObject + - Set-DomainObject + - Get-DomainObjectAcl + - Add-DomainObjectAcl + - Find-InterestingDomainAcl + - Get-DomainOU + - Get-DomainSite + - Get-DomainSubnet + - Get-DomainSID + - Get-DomainGroup + - New-DomainGroup + - Get-DomainManagedSecurityGroup + - Get-DomainGroupMember + - Add-DomainGroupMember + - Get-DomainFileServer + - Get-DomainDFSShare + - Get-DomainGPO + - Get-DomainGPOLocalGroup + - Get-DomainGPOUserLocalGroupMapping + - Get-DomainGPOComputerLocalGroupMapping + - Get-DomainPolicy + - Get-NetLocalGroup + - Get-NetLocalGroupMember + - Get-NetShare + - Get-NetLoggedon + - Get-NetSession + - Get-RegLoggedOn + - Get-NetRDPSession + - Test-AdminAccess + - Get-NetComputerSiteName + - Get-WMIRegProxy + - Get-WMIRegLastLoggedOn + - Get-WMIRegCachedRDPConnection + - Get-WMIRegMountedDrive + - Get-WMIProcess + - Find-InterestingFile + - Find-DomainUserLocation + - Find-DomainProcess + - Find-DomainUserEvent + - Find-DomainShare + - Find-InterestingDomainShareFile + - Find-LocalAdminAccess + - Find-DomainLocalGroupMember + - Get-DomainTrust + - Get-ForestTrust + - Get-DomainForeignUser + - Get-DomainForeignGroupMember + - Get-DomainTrustMapping + condition: selection +falsepositives: + - Should not be any as administrators do not use this tool +level: high From f1a0308e730c1cd9c9cb66aec5a35b541ee8aeb7 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 25 May 2021 21:07:23 +0200 Subject: [PATCH 200/254] Add one more pipe, references etc. --- .../windows/pipe_created/sysmon_mal_cobaltstrike.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 32d6de754..f07798711 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -6,8 +6,9 @@ references: - https://twitter.com/d4rksystem/status/1357010969264873472 - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ - https://github.com/Neo23x0/sigma/issues/253 -date: 2021/04/23 -author: Florian Roth + - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ +date: 2021/05/25 +author: Florian Roth, Wojciech Lesicki tags: - attack.defense_evasion - attack.privilege_escalation @@ -15,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17)' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' detection: selection_MSSE_start: PipeName|startswith: '\MSSE-' @@ -23,9 +24,11 @@ detection: PipeName|endswith: '-server' selection_postex: PipeName|startswith: '\postex_' + selection_postex_ssh: + PipeName|startswith: '\postex_ssh_' selection_msagent: PipeName|startswith: '\msagent_' - condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_msagent + condition: selection_MSSE_start and selection_MSSE_end or selection_postex or or selection_postex_ssh or selection_msagent falsepositives: - Unknown level: critical From 8b707bc94821879f9aee2f16a59acae86f975578 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 25 May 2021 21:58:22 +0200 Subject: [PATCH 201/254] Added also \status_ pipe. --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index f07798711..5ce5b4f3d 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -26,9 +26,11 @@ detection: PipeName|startswith: '\postex_' selection_postex_ssh: PipeName|startswith: '\postex_ssh_' + selection_status: + PipeName|startswith: '\status_' selection_msagent: PipeName|startswith: '\msagent_' - condition: selection_MSSE_start and selection_MSSE_end or selection_postex or or selection_postex_ssh or selection_msagent + condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_postex_ssh or selection_status or selection_msagent falsepositives: - Unknown level: critical From d06f2bcf1465527a61fac6c9dc421f9980af329f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 May 2021 15:42:16 +0200 Subject: [PATCH 202/254] fix: sysmon backend "startswith" --- tools/sigma/backends/sysmon.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 66832d576..963021815 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -20,6 +20,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): conditionDict = { "startswith": "begin with", "endswith": "end with", + "all": "contains all" } def __init__(self, *args, **kwargs): @@ -78,14 +79,19 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): def mapFiledValue(self, field, value): condition = None + any_selector = "contains any" if "|" in field: field, *pipes = field.split("|") if len(pipes) == 1: - condition = pipes[0] + modifier = pipes[0] + if modifier in self.conditionDict: + condition = self.conditionDict[modifier] + if modifier == "all": + any_selector = "contains all" else: raise NotImplementedError("not implemented condition") if isinstance(value, list) and len(value) > 1: - condition = "contains any" + condition = any_selector value = ";".join(value) elif "*" in value: if value.startswith("*") and value.endswith("*"): From c1cebe627af9d443b9e655d8e647eb4787f9bb1e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 May 2021 17:22:34 +0200 Subject: [PATCH 203/254] refactor: reworked CS pipe rule --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 5ce5b4f3d..3075d846d 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -18,10 +18,10 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' detection: - selection_MSSE_start: - PipeName|startswith: '\MSSE-' - selection_MSSE_end: - PipeName|endswith: '-server' + selection_MSSE: + PipeName|contains|all: + - '\MSSE-' + - '-server' selection_postex: PipeName|startswith: '\postex_' selection_postex_ssh: @@ -30,7 +30,7 @@ detection: PipeName|startswith: '\status_' selection_msagent: PipeName|startswith: '\msagent_' - condition: selection_MSSE_start and selection_MSSE_end or selection_postex or selection_postex_ssh or selection_status or selection_msagent + condition: 1 of them falsepositives: - Unknown level: critical From a5fe7af25f6103dc6197b0544bfc327539a1148f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 May 2021 18:05:38 +0200 Subject: [PATCH 204/254] Cobalt Strike Service Installation --- .../win_cobaltstrike_service_installs.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/builtin/win_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml new file mode 100644 index 000000000..986a9f230 --- /dev/null +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -0,0 +1,25 @@ +title: CobaltStrike Service Installations +id: 5a105d34-05fc-401e-8553-272b45c1522d +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges +author: Florian Roth +references: + - https://www.sans.org/webcasts/119395 +date: 2021/05/26 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ImagePath|contains|all: + - '\\127.0.0.1\ADMIN$' + - '.exe' + condition: selection +falsepositives: + - Unknown +level: critical From 788ebbafdcffbcd938bc9e0b03c582fd56edf767 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:20:29 +0200 Subject: [PATCH 205/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- .../win_invoke_obfuscation_clip+_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index a52ce3881..b33bf0cb8 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2020/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From f0d1c9aa7dd89cad114c83a89cbb2c85e0db9939 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:26:08 +0200 Subject: [PATCH 206/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...win_invoke_obfuscation_stdin+_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index b11a25f94..3e8313bf7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 417da3ac9581289203f779f243c14ebcd44c8c9b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:28:06 +0200 Subject: [PATCH 207/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- .../win_invoke_obfuscation_var+_services.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 0e1bca20f..d598d7f7e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4697 + selection_eventid: + EventID: 4697 From ce53a5a67bf73b9819272fabb2a2adc098e3f4d1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:30:00 +0200 Subject: [PATCH 208/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...voke_obfuscation_via_compress_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 17f200b4a..9664661b0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -18,22 +19,25 @@ level: medium detection: selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 8d8df10687061948027eac7b41459de78abebaae Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:31:57 +0200 Subject: [PATCH 209/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...invoke_obfuscation_via_rundll_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 4ec340f8d..fcf7920ee 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -18,22 +19,25 @@ level: medium detection: selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From cbce61bc8cb428a8dd3593576aee2a5e8ad8cda6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:34:46 +0200 Subject: [PATCH 210/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._invoke_obfuscation_via_stdin_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 0484fbf5a..df37801a0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From a878f3b0a5d415d72ba532eb081b4eb8755c749a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:36:47 +0200 Subject: [PATCH 211/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...voke_obfuscation_via_use_clip_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 565d62e2c..2bb42aec1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From e4c32c353a97a66eddbacdc7c60fe036de8c0984 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:39:16 +0200 Subject: [PATCH 212/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...oke_obfuscation_via_use_mshta_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 59ad9fee2..9ba4f8960 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 30cc64a34944f09b2a0c2343ee84fdb52cfa7a22 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:41:19 +0200 Subject: [PATCH 213/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._obfuscation_via_use_rundll32_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 2dcde1d54..84bf36fd0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 2a687009916966ac16cfc9ec7a1a5087610ed254 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:43:08 +0200 Subject: [PATCH 214/254] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._invoke_obfuscation_via_var++_services.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index 42ea9004f..aaa51e80b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -18,22 +18,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From b5352ac5f7af8135e7bdda4981aa73c1a732993f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 10:29:21 +0200 Subject: [PATCH 215/254] fix: duplicate UUIDs --- rules/linux/macos_change_file_time_attr.yml | 2 +- rules/linux/macos_find_cred_in_files.yml | 2 +- rules/linux/macos_remote_system_discovery.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 2 +- rules/windows/process_creation/process_creation_msdeploy.yml | 2 +- .../windows/process_creation/sysmon_proxy_execution_wuauclt.yml | 2 +- .../process_creation/sysmon_susp_webdav_client_execution.yml | 2 +- .../process_creation/win_invoke_obfuscation_via_var++.yml | 2 +- .../registry_event/sysmon_wdigest_enable_uselogoncredential.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index f30750331..f4a0ca2d7 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -1,5 +1,5 @@ title: 'File Time Attribute Change' -id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 status: experimental description: 'Detect file time attribute change to hide new or changes to existing files.' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 2f47f1034..a0b2a0cbd 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -1,5 +1,5 @@ title: 'Credentials In Files' -id: df3fcaea-2715-4214-99c5-0056ea59eb35 +id: 53b1b378-9b06-4992-b972-dde6e423d2b4 status: experimental description: 'Detecting attempts to extract passwords with grep and laZagne' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index a7a1fdf22..fd5867314 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -1,5 +1,5 @@ title: Macos Remote System Discovery -id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +id: 10227522-8429-47e6-a301-f2b2d014e7ad status: experimental description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index ac20a73c2..6d19dc2e1 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e54f5149-6ba3-49cf-b153-070d24679126 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 6fabd7686..08b586762 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,6 +1,6 @@ title: Execute Files with Msdeploy.exe status: experimental -id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +id: 646bc99f-6682-4b47-a73a-17b1b64c9d34 author: Beyu Denis, oscd.community date: 2020/10/18 description: Detects file execution using the msdeploy.exe lolbin diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 3feffbd61..439e99a78 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -1,5 +1,5 @@ title: Proxy Execution via Wuauclt -id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +id: af77cf95-c469-471c-b6a0-946c685c4798 description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. status: experimental date: 2020/10/12 diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml index 300599791..6e66c04a3 100644 --- a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml @@ -1,5 +1,5 @@ title: Suspicious WebDav Client Execution -id: 40f9af16-589d-4984-b78d-8c2aec023197 +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). status: experimental date: 2020/05/02 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index caeadc4e8..dd02c69ae 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e9f55347-2928-4c06-88e5-1a7f8169942e description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 9b67116f1..875bbbeb4 100644 --- a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -1,5 +1,5 @@ title: Wdigest Enable UseLogonCredential -id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental date: 2019/09/12 From 7812a4217cd31f082493d4caa5a39c5ed6f0e32f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 11:36:05 +0200 Subject: [PATCH 216/254] rule: regedit as trustedinstaller --- .../win_susp_regedit_trustedinstaller.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml new file mode 100644 index 000000000..6b4964525 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -0,0 +1,18 @@ +title: Regedit as Trusted Installer +id: 883835a7-df45-43e4-bf1d-4268768afda4 +description: Detects a regedit started with TrustedInstaller privileges +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2018/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + ParentImage|endswith: '\TrustedInstaller.exe' + condition: selection +falsepositives: + - Unlikely +level: high From c0b93a010ce2f0816c5eba1567ab0d06e754af46 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 12:49:40 +0200 Subject: [PATCH 217/254] NCCGroup rules from rclone blog post https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ --- rules/windows/dns_query/dns_mega_nz.yml | 22 ++++++++++++ .../file_event/win_rclone_exec_file.yml | 23 ++++++++++++ .../process_creation/win_susp_rclone_exec.yml | 35 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 rules/windows/dns_query/dns_mega_nz.yml create mode 100644 rules/windows/file_event/win_rclone_exec_file.yml create mode 100644 rules/windows/process_creation/win_susp_rclone_exec.yml diff --git a/rules/windows/dns_query/dns_mega_nz.yml b/rules/windows/dns_query/dns_mega_nz.yml new file mode 100644 index 000000000..dee549f28 --- /dev/null +++ b/rules/windows/dns_query/dns_mega_nz.yml @@ -0,0 +1,22 @@ +title: DNS Query for MEGA.io Upload Domain +id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 +description: Detects DNS queries for subdomains used for upload to MEGA.io +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Mega upload +level: high +logsource: + product: windows + category: dns_query +detection: + dns_request: + EventID: 22 + QueryName|contains: userstorage.mega.co.nz + condition: dns_request \ No newline at end of file diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml new file mode 100644 index 000000000..d20127ca9 --- /dev/null +++ b/rules/windows/file_event/win_rclone_exec_file.yml @@ -0,0 +1,23 @@ +title: Rclone config file creation +id: 34986307-b7f4-49be-92f3-e7a4d01ac5db +description: Detects Rclone config file being created +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: file_event +detection: + file_selection: + EventID: 11 + TargetFilename: + - 'C:\Users\*\.config\rclone\*' + condition: file_selection \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml new file mode 100644 index 000000000..e4dc02a8c --- /dev/null +++ b/rules/windows/process_creation/win_susp_rclone_exec.yml @@ -0,0 +1,35 @@ +title: Rclone Execution via Command Line or PowerShell +id: cb7286ba-f207-44ab-b9e6-760d82b84253 +description: Detects Rclone which is commonly used by ransomware groups for exfiltration +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - ' pass ' + - ' user ' + - ' copy ' + - ' mega ' + - ' sync ' + - ' config ' + - ' lsd ' + - ' remote ' + - ' ls ' + condition: exec_selection and 1 of command_selection \ No newline at end of file From 3cd2730a264919c88d1e34eb369fc5b86abeec74 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 12:49:54 +0200 Subject: [PATCH 218/254] rule: process hacker priv esc --- .../windows/builtin/win_susp_proceshacker.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_susp_proceshacker.yml diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml new file mode 100644 index 000000000..3807141bb --- /dev/null +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -0,0 +1,23 @@ +title: ProcessHacker Privilege Elevation +id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 +description: Detects a ProcessHacker tool that elevated privileges to a very high level +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2018/05/27 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName|startswith: 'ProcessHacker' + AccountName: 'LocalSystem' +falsepositives: + - Unlikely +level: high From 7ce7095c2ca3019ffaedd7916a7f485634fd39b8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 15:01:32 +0200 Subject: [PATCH 219/254] fix: title with lower case letters --- rules/windows/file_event/win_rclone_exec_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml index d20127ca9..d812472ed 100644 --- a/rules/windows/file_event/win_rclone_exec_file.yml +++ b/rules/windows/file_event/win_rclone_exec_file.yml @@ -1,4 +1,4 @@ -title: Rclone config file creation +title: Rclone Config File Creation id: 34986307-b7f4-49be-92f3-e7a4d01ac5db description: Detects Rclone config file being created status: experimental From d5e8d1153f5bcf53f70428d9cbd3339083b23af3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 15:04:13 +0200 Subject: [PATCH 220/254] fix: missing condition --- rules/windows/builtin/win_susp_proceshacker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml index 3807141bb..789b21068 100644 --- a/rules/windows/builtin/win_susp_proceshacker.yml +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -18,6 +18,7 @@ detection: EventID: 7045 ServiceName|startswith: 'ProcessHacker' AccountName: 'LocalSystem' + condition: selection falsepositives: - Unlikely level: high From d1582944a7a79bd2a4387de271f5681ff97b3f6d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 16:30:09 +0200 Subject: [PATCH 221/254] fix: dates in new rules --- rules/windows/builtin/win_susp_proceshacker.yml | 2 +- .../process_creation/win_susp_regedit_trustedinstaller.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml index 789b21068..e67638118 100644 --- a/rules/windows/builtin/win_susp_proceshacker.yml +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -4,7 +4,7 @@ description: Detects a ProcessHacker tool that elevated privileges to a very hig references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth -date: 2018/05/27 +date: 2021/05/27 tags: - attack.execution - attack.privilege_escalation diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml index 6b4964525..0d2367ab3 100644 --- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -4,7 +4,7 @@ description: Detects a regedit started with TrustedInstaller privileges references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth -date: 2018/05/27 +date: 2021/05/27 logsource: category: process_creation product: windows From 61f5e665697b8f2f4e0c13efe8638d7e990aded8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 16:57:41 +0200 Subject: [PATCH 222/254] Update win_susp_regedit_trustedinstaller.yml --- .../process_creation/win_susp_regedit_trustedinstaller.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml index 0d2367ab3..f6dc13602 100644 --- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -1,6 +1,6 @@ title: Regedit as Trusted Installer id: 883835a7-df45-43e4-bf1d-4268768afda4 -description: Detects a regedit started with TrustedInstaller privileges +description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth @@ -11,7 +11,9 @@ logsource: detection: selection: Image|endswith: '\regedit.exe' - ParentImage|endswith: '\TrustedInstaller.exe' + ParentImage|endswith: + - '\TrustedInstaller.exe' + - '\ProcessHacker.exe' condition: selection falsepositives: - Unlikely From f675ac36b128da903483103ae661322c18999c86 Mon Sep 17 00:00:00 2001 From: Jeff Beley Date: Thu, 27 May 2021 15:03:52 +0000 Subject: [PATCH 223/254] Modified win_susp_rclone_exec.yml to detect renamed rclone executables and rclone executed from inside of other programs (BEACON) --- .../windows/process_creation/win_susp_rclone_exec.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml index e4dc02a8c..2178a9c90 100644 --- a/rules/windows/process_creation/win_susp_rclone_exec.yml +++ b/rules/windows/process_creation/win_susp_rclone_exec.yml @@ -11,16 +11,11 @@ tags: - attack.t1567.002 falsepositives: - Legitimate Rclone usage (rare) -level: high +level: high logsource: product: windows category: process_creation detection: - exec_selection: - Image|endswith: '\rclone.exe' - ParentImage|endswith: - - '\PowerShell.exe' - - '\cmd.exe' command_selection: CommandLine|contains: - ' pass ' @@ -32,4 +27,6 @@ detection: - ' lsd ' - ' remote ' - ' ls ' - condition: exec_selection and 1 of command_selection \ No newline at end of file + description_selection: + Description: 'Rsync for cloud storage' + condition: 1 of command_selection and description_selection \ No newline at end of file From a4e6f58b16d05e277f5caeded2633167c3e90120 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 17:49:10 +0200 Subject: [PATCH 224/254] rule: suspicious programs - no DLL in command line --- .../win_susp_procs_req_dlls.yml | 33 +++++++++++++++++++ .../win_susp_rundll32_no_params.yml | 27 +++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_procs_req_dlls.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_no_params.yml diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml new file mode 100644 index 000000000..955d6f6f6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -0,0 +1,33 @@ +title: Suspicious Process Start Without DLL +id: f5647edc-a7bf-4737-ab50-ef8c60dc3add +description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity +status: experimental +references: + - https://twitter.com/CyberRaiju/status/1251492025678983169 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: + - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' + filter1: + ParentImage|contains: + - '\AppData\Local\Temp\' + - '\Microsoft\Edge\' + condition: selection and not filter1 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml new file mode 100644 index 000000000..f9a961510 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml @@ -0,0 +1,27 @@ +title: Suspicious Rundll32 Without Any CommandLine Params +id: 1775e15e-b61b-4d14-a1a3-80981298085a +description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +status: experimental +references: + - https://www.cobaltstrike.com/help-opsec +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: '\rundll32.exe' + filter1: + ParentImage|endswith: '\svchost.exe' + filter2: + ParentImage|contains: + - '\AppData\Local\Temp\' + - '\Microsoft\Edge\' + condition: selection and not filter1 and not filter2 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high From 431f34b985d546121bcc8cfa290f6b2fd76cdf2c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 18:12:20 +0200 Subject: [PATCH 225/254] fix: other locations https://twitter.com/ber_m1ng/status/1397948048135778309 --- rules/windows/process_creation/win_susp_procs_req_dlls.yml | 2 +- rules/windows/process_creation/win_susp_rundll32_no_params.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml index 955d6f6f6..d52158f85 100644 --- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -22,7 +22,7 @@ detection: - '\regsvr32.exe' filter1: ParentImage|contains: - - '\AppData\Local\Temp\' + - '\AppData\Local\' - '\Microsoft\Edge\' condition: selection and not filter1 fields: diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml index f9a961510..b45e3b4e0 100644 --- a/rules/windows/process_creation/win_susp_rundll32_no_params.yml +++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\svchost.exe' filter2: ParentImage|contains: - - '\AppData\Local\Temp\' + - '\AppData\Local\' - '\Microsoft\Edge\' condition: selection and not filter1 and not filter2 fields: From 39900bb7c5ddf85e4ccf97754500f3a67076188f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 19:24:20 +0200 Subject: [PATCH 226/254] refactor: re-add exec seldction --- rules/windows/process_creation/win_susp_rclone_exec.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml index 2178a9c90..b6e35d7a2 100644 --- a/rules/windows/process_creation/win_susp_rclone_exec.yml +++ b/rules/windows/process_creation/win_susp_rclone_exec.yml @@ -16,6 +16,11 @@ logsource: product: windows category: process_creation detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' command_selection: CommandLine|contains: - ' pass ' @@ -29,4 +34,4 @@ detection: - ' ls ' description_selection: Description: 'Rsync for cloud storage' - condition: 1 of command_selection and description_selection \ No newline at end of file + condition: command_selection and ( description_selection or exec_selection ) \ No newline at end of file From 179bfa7d5607328ec6dbb5db1c0b44dd53df8754 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 20:59:26 +0200 Subject: [PATCH 227/254] duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 - sysmon_susp_webdav_client_execution.yml - sysmon_wdigest_enable_uselogoncredential.yml --- .../sysmon_wdigest_enable_uselogoncredential.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 875bbbeb4..6a53796b6 100644 --- a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -1,8 +1,9 @@ title: Wdigest Enable UseLogonCredential -id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 +id: d6a9b252-c666-4de6-8806-5561bbbd3bdc description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental date: 2019/09/12 +modified: 2021/05/27 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion From 9a0604029e9529d7da4808d0421ad013adfc1340 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 21:06:07 +0200 Subject: [PATCH 228/254] duplicate uuid 5a105d34-05fc-401e-8553-272b45c1522d - win_cobaltstrike_service_installs.yml - win_mal_service_installs.yml --- rules/windows/builtin/win_mal_service_installs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 4bee531c4..5e9adf31e 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,9 @@ title: Malicious Service Installations -id: 5a105d34-05fc-401e-8553-272b45c1522d +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2019/11/01 +modified: 2021/05/27 tags: - attack.persistence - attack.privilege_escalation From b3a608599a133115cbdb41907c69aa9776a140d5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 28 May 2021 10:51:08 +0200 Subject: [PATCH 229/254] Add some fun backend option for es-rule --- tools/sigma/backends/elasticsearch.py | 41 ++++++++++++++++++++++++++- tools/sigma/parser/collection.py | 8 +++++- tools/sigma/sigmac.py | 2 +- 3 files changed, 48 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index e0bcd369c..1fb4cfb37 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1223,7 +1223,13 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): identifier = "es-rule" active = True uuid_black_list = [] - + options = ElasticsearchQuerystringBackend.options + ( + ("put_filename_in_ref", False, "Want to have yml name in reference ?", None), + ("convert_to_url", False, "Want to convert to a URL ?", None), + ("path_to_replace", "../", "The local path to replace with dest_base_url", None), + ("dest_base_url", "https://github.com/SigmaHQ/sigma/tree/master/", "The URL prefix", None), + ("custom_tag", None , "Add a custom tag", None), + ) def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.tactics = self._load_mitre_file("tactics") @@ -1326,6 +1332,25 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): else: return "medium" + def build_ymlfile_ref(self, configs): + if self.put_filename_in_ref == False: # Dont want + return None + + yml_filename = configs.get("yml_filename") + yml_path = configs.get("yml_path") + if yml_filename == None or yml_path == None: + return None + + if self.convert_to_url: + yml_path = yml_path.replace('\\','/') #windows path to url + self.path_to_replace = self.path_to_replace.replace('\\','/') #windows path to url + if self.path_to_replace not in yml_path: #Error to change + return None + + new_ref = yml_path.replace(self.path_to_replace,self.dest_base_url) + '/' + yml_filename + else: + new_ref = yml_filename + return new_ref def create_rule(self, configs, index): tags = configs.get("tags", []) @@ -1358,6 +1383,10 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): if tact: new_tags.append(tag.title()) tactics_list.append(tact) + + if self.custom_tag: + new_tags.append(self.custom_tag) + threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() rule_uuid = configs.get("id", "").lower() @@ -1377,6 +1406,16 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): falsepositives.append(yml_falsepositives) else: falsepositives=yml_falsepositives + + add_ref_yml= self.build_ymlfile_ref(configs) + if add_ref_yml: + if references is None: # No ref + references=[] + if add_ref_yml in references: + pass # else put a duplicate ref for multi rule file + else: + references.append(add_ref_yml) + rule = { "description": configs.get("description", ""), "enabled": True, diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py index 7de47cce7..57e205092 100644 --- a/tools/sigma/parser/collection.py +++ b/tools/sigma/parser/collection.py @@ -28,7 +28,7 @@ class SigmaCollectionParser: * reset: resets global attributes from previous set_global statements * repeat: takes attributes from this YAML document, merges into previous rule YAML and regenerates the rule """ - def __init__(self, content, config=None, rulefilter=None): + def __init__(self, content, config=None, rulefilter=None, filename=None): if config is None: from sigma.configuration import SigmaConfiguration config = SigmaConfiguration() @@ -36,6 +36,9 @@ class SigmaCollectionParser: globalyaml = dict() self.parsers = list() prevrule = None + if filename: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) for yamldoc in self.yamls: action = None try: @@ -48,6 +51,9 @@ class SigmaCollectionParser: deep_update_dict(globalyaml, yamldoc) elif action == "reset": globalyaml = dict() + if filename: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) elif action == "repeat": if prevrule is None: raise SigmaCollectionParseError("action 'repeat' is only applicable after first valid Sigma rule") diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index af5a1147d..5d50a3733 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -233,7 +233,7 @@ def main(): f = sigmafile else: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) newline_separator = '\0' if cmdargs.print0 else '\n' From 7ec513f1d0f6f46d8b62a6e0dfef6532003cd5f1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 28 May 2021 12:47:37 +0200 Subject: [PATCH 230/254] Fix error when use `-< namefile.yml` in commandline as I never use it --- tools/sigma/parser/collection.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py index 57e205092..b7cc9ccf1 100644 --- a/tools/sigma/parser/collection.py +++ b/tools/sigma/parser/collection.py @@ -37,8 +37,12 @@ class SigmaCollectionParser: self.parsers = list() prevrule = None if filename: - globalyaml['yml_filename']=str(filename.name) - globalyaml['yml_path']=str(filename.parent) + try: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) + except: + filename = None + for yamldoc in self.yamls: action = None try: From 33a5137bc7c0160183326aa855a915a65b67309a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 08:22:38 +0200 Subject: [PATCH 231/254] Fix logsource to get accurate detection --- rules/windows/other/win_defender_history_delete.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/win_defender_history_delete.yml index cbdaac309..21f32acef 100644 --- a/rules/windows/other/win_defender_history_delete.yml +++ b/rules/windows/other/win_defender_history_delete.yml @@ -6,12 +6,13 @@ author: Cian Heasley references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus date: 2020/08/13 +modified: 2021/05/30 tags: - attack.defense_evasion - attack.t1070.001 logsource: - category: windows - product: windef + product: windows + service: windefend detection: selection: EventID: 1013 From 58436c2a024fe914291f66de945f7bfb31f47c38 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 08:37:48 +0200 Subject: [PATCH 232/254] product is lowercase --- rules/compliance/host_without_firewall.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 264327142..cab122e0b 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -4,12 +4,13 @@ status: stable description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime date: 2019/03/19 +modified: 2021/05/30 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf logsource: - product: Qualys + product: qualys detection: selection: event.category: Security Policy From a63445287180b6ee66b71793e4bfaf61bc70bc84 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 08:43:01 +0200 Subject: [PATCH 233/254] product is lowercase --- rules/windows/process_creation/win_task_folder_evasion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index a10446c67..402ff3615 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2020/08/29 +modified: 2021/05/30 author: Sreeman tags: - attack.defense_evasion @@ -17,7 +17,7 @@ tags: - attack.t1064 # an old one logsource: - product: Windows + product: windows detection: selection1: CommandLine|contains: From f91abf8929e0ed18f0042ac9dda13c697b1dc7e5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 08:58:25 +0200 Subject: [PATCH 234/254] Fix auditd is a service --- rules/linux/lnx_system_info_discovery.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index c0742e26f..892f10d76 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -5,6 +5,7 @@ status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 +modified: 2020/05/30 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md falsepositives: @@ -31,7 +32,7 @@ detection: --- logsource: product: linux - category: auditd + service: auditd detection: selection: type: 'PATH' From 7d55c7ca806117f191c476f9e3e581a523df749f Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 09:17:41 +0200 Subject: [PATCH 235/254] category `other` is useless Add a new reference --- ...n_possible_zerologon_exploitation_using_wellknown_tools.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index da829faa9..df5118234 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -4,13 +4,14 @@ status: stable description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. references: - https://www.secura.com/blog/zero-logon + - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' date: 2020/10/13 +modified: 2021/05/30 tags: - attack.t1210 - attack.lateral_movement logsource: - category: other service: system product: windows detection: From aa34ff8e3c81a9de6746c5a466fb15f250d95641 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 09:27:08 +0200 Subject: [PATCH 236/254] Addition of `System` channel for more accurate detection --- tools/config/winlogbeat-modules-enabled.yml | 5 +++++ tools/config/winlogbeat-old.yml | 5 +++++ tools/config/winlogbeat.yml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a3034b7c5..8a70f2171 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -25,6 +25,11 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 789d5f2b8..d942752a6 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -24,6 +24,11 @@ logsources: service: security conditions: log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 1b1f4bdea..38f19bce0 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -24,6 +24,11 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon From 0b2037ccad3b6a98eb092491840f86b6c3c62eb4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 30 May 2021 09:43:29 +0200 Subject: [PATCH 237/254] fix **firewall** is a `category` like in all other rules --- rules/compliance/cleartext_protocols.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index cda779381..eb1acd9c9 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -81,7 +81,7 @@ detection: condition: selection --- logsource: - product: firewall + category: firewall detection: selection1: destination.port: From ab73dd4dd6fbb96f450a085547a8f25c3f244167 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 31 May 2021 10:49:42 +0200 Subject: [PATCH 238/254] rule: nginx core dump --- rules/web/web_nginx_core_dump.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/web/web_nginx_core_dump.yml diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml new file mode 100644 index 000000000..578db765e --- /dev/null +++ b/rules/web/web_nginx_core_dump.yml @@ -0,0 +1,20 @@ +title: Nginx Core Dump +id: 59ec40bb-322e-40ab-808d-84fa690d7e56 +description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts +author: Florian Roth +date: 2021/05/31 +references: + - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps + - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ +logsource: + product: apache +detection: + keywords: + - 'exited on signal 6 (core dumped)' + condition: keywords +falsepositives: + - Serious issues with a configuration or plugin +level: high +tags: + - attack.impact + - attack.t1499.004 \ No newline at end of file From 5f98f00a362626e92ebbd9584e46396bf84e6b4c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 1 Jun 2021 08:19:26 +0200 Subject: [PATCH 239/254] Filtering Platform Connection are in security channel not system --- rules/windows/builtin/win_global_catalog_enumeration.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index eb3392785..c87885a43 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -3,14 +3,16 @@ description: Detects enumeration of the global catalog (that can be performed us author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2020/08/23 +modified: 2021/06/01 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows - service: system + service: security definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' detection: selection: From bf98f4385096e8246a652f003aad25bbdfbed09e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 1 Jun 2021 10:47:17 +0200 Subject: [PATCH 240/254] Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID --- .../powershell_alternate_powershell_hosts.yml | 37 +++++++++++++------ tools/config/winlogbeat-modules-enabled.yml | 10 +++++ tools/config/winlogbeat-old.yml | 10 +++++ tools/config/winlogbeat.yml | 10 +++++ 4 files changed, 55 insertions(+), 12 deletions(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index acf3ed8b7..6346854c7 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,8 +1,10 @@ +action: global title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 +modified: 2021/06/01 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -10,6 +12,20 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one +falsepositives: + - Programs using PowerShell directly without invocation of a dedicated interpreter + - MSP Detection Searcher + - Citrix ConfigSync.ps1 +level: medium +detection: + filter: + - ContextInfo: 'powershell.exe' + - Message: 'powershell.exe' + # Both fields contain key=value pairs where the key HostApplication is relevant but + # can't be referred directly as event field. + condition: selection and not filter + +--- logsource: product: windows service: powershell @@ -17,16 +33,13 @@ detection: selection: EventID: - 4103 - - 400 ContextInfo: '*' - filter: - - ContextInfo: 'powershell.exe' - - Message: 'powershell.exe' - # Both fields contain key=value pairs where the key HostApplication is relevant but - # can't be referred directly as event field. - condition: selection and not filter -falsepositives: - - Programs using PowerShell directly without invocation of a dedicated interpreter - - MSP Detection Searcher - - Citrix ConfigSync.ps1 -level: medium +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: + - 400 + ContextInfo: '*' \ No newline at end of file diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 8a70f2171..25debf7d8 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -35,6 +35,16 @@ logsources: service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index d942752a6..be68b3193 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -34,6 +34,16 @@ logsources: service: sysmon conditions: log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 38f19bce0..679ebed8c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -34,6 +34,16 @@ logsources: service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server From 34cf1333deb01a1e1f56327b3ce876a2fe8a0085 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 1 Jun 2021 13:58:35 +0200 Subject: [PATCH 241/254] fix: rule FPs with Stealthy VSTO Persistence --- .../registry_event/sysmon_office_vsto_persistence.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml index 4afc0fbc3..8eac61ee8 100644 --- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml @@ -9,6 +9,7 @@ tags: - attack.persistence author: Bhabesh Raj date: 2021/01/10 +modified: 2021/06/01 logsource: category: registry_event product: windows @@ -20,7 +21,9 @@ detection: - '\Software\Microsoft\Office\Excel\Addins\' - '\Software\Microsoft\Office\Powerpoint\Addins\' - '\Software\Microsoft\VSTO\Security\Inclusion\' - condition: selection + filter: + Image|endswith: '\msiexec.exe' + condition: selection and not filter falsepositives: - Unknown level: high \ No newline at end of file From cc4c55ed10823b91f7806bce2cb723b7d23f919f Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 1 Jun 2021 16:18:23 +0200 Subject: [PATCH 242/254] Added a new rule about loading dll CS via rundll32 and also some changes about CobaltStrike Service Installations --- .../win_cobaltstrike_service_installs.yml | 22 +++++++++++----- ...creation_cobaltstrike_load_by_rundll32.yml | 26 +++++++++++++++++++ 2 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 986a9f230..0091a49fd 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,25 +1,33 @@ title: CobaltStrike Service Installations id: 5a105d34-05fc-401e-8553-272b45c1522d -description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges -author: Florian Roth +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 -date: 2021/05/26 +date: 2021/06/01 tags: - attack.execution - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 logsource: product: windows service: system detection: - selection: + selection1: EventID: 7045 - ImagePath|contains|all: - - '\\127.0.0.1\ADMIN$' + selection2: + Service File Name|contains|all: + - 'ADMIN$' - '.exe' - condition: selection + selection3: + Service File Name|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + condition: selection1 and (selection2 or selection3) falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml new file mode 100644 index 000000000..a00c41750 --- /dev/null +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -0,0 +1,26 @@ +title: Cobalt Strike load by rundll32 +status: experimental +id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 +author: Wojciech Lesicki +date: 2021/06/01 +description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +references: + - https://www.cobaltstrike.com/help-windows-executable + - https://redcanary.com/threat-detection-report/ + - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ +tags: + - attack.defense evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartW' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file From 90a21d954a3396c09de35c8f1002ed9e06831664 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 1 Jun 2021 16:55:49 +0200 Subject: [PATCH 243/254] Change title --- .../process_creation_cobaltstrike_load_by_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml index a00c41750..4fc8066c8 100644 --- a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -1,4 +1,4 @@ -title: Cobalt Strike load by rundll32 +title: CobaltStrike load by rundll32 status: experimental id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 author: Wojciech Lesicki From d6f6b88b4c08eb961a8cca9bcdec502f2d364cd0 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 1 Jun 2021 17:11:24 +0200 Subject: [PATCH 244/254] I corrected the tag --- .../process_creation_cobaltstrike_load_by_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml index 4fc8066c8..f2a062c76 100644 --- a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -9,7 +9,7 @@ references: - https://redcanary.com/threat-detection-report/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ tags: - - attack.defense evasion + - attack.defense_evasion - attack.t1218.011 logsource: category: process_creation From 950b252d5c6d72b412c2dd9b24bb5ab5c74f3aa4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 1 Jun 2021 18:11:19 +0200 Subject: [PATCH 245/254] Update process_creation_cobaltstrike_load_by_rundll32.yml --- .../process_creation_cobaltstrike_load_by_rundll32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml index f2a062c76..580898f69 100644 --- a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -1,4 +1,4 @@ -title: CobaltStrike load by rundll32 +title: CobaltStrike Load by Rundll32 status: experimental id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 author: Wojciech Lesicki @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical From eb4300756e1724c463156cf9c0578fb794ad7a79 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 1 Jun 2021 21:53:25 +0200 Subject: [PATCH 246/254] Update win_cobaltstrike_service_installs.yml --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 0091a49fd..b64055444 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -4,7 +4,8 @@ description: Detects known malicious service installs that appear in cases in wh author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 -date: 2021/06/01 +date: 2021/05/26 +modified: 2021/06/01 tags: - attack.execution - attack.privilege_escalation From 8fd0baebef1a8350c17f9f3ad03a819cbed11793 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Jun 2021 00:27:45 +0000 Subject: [PATCH 247/254] Bump urllib3 from 1.26.4 to 1.26.5 Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Pipfile | 2 +- Pipfile.lock | 86 +++++++++++++++++++--------------------------------- 2 files changed, 33 insertions(+), 55 deletions(-) diff --git a/Pipfile b/Pipfile index c8a358947..060d74e88 100644 --- a/Pipfile +++ b/Pipfile @@ -16,7 +16,7 @@ attackcti = "*" [packages] requests = "~=2.25" -urllib3 = "~=1.25" +urllib3 = "~=1.26" progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" diff --git a/Pipfile.lock b/Pipfile.lock index ed1329a91..f83fca957 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687" + "sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2" }, "pipfile-spec": 6, "requires": { @@ -18,25 +18,23 @@ "default": { "attrs": { "hashes": [ - "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", - "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.3.0" + "version": "==21.2.0" }, "certifi": { "hashes": [ - "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", - "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.12.5" + "version": "==2021.5.30" }, "chardet": { "hashes": [ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, "deprecated": { @@ -44,7 +42,6 @@ "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.2.12" }, "idna": { @@ -52,7 +49,6 @@ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, "jsonschema": { @@ -82,7 +78,6 @@ "hashes": [ "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e" ], - "markers": "python_version >= '3.5'", "version": "==0.17.3" }, "python-dateutil": { @@ -90,7 +85,6 @@ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.8.1" }, "python-utils": { @@ -145,19 +139,18 @@ }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" + "version": "==1.16.0" }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.26.4" + "version": "==1.26.5" }, "wrapt": { "hashes": [ @@ -207,7 +200,6 @@ "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" ], - "markers": "python_version >= '3.6'", "version": "==3.7.4.post0" }, "antlr4-python3-runtime": { @@ -222,7 +214,6 @@ "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" ], - "markers": "python_full_version >= '3.5.3'", "version": "==3.0.1" }, "attackcti": { @@ -235,25 +226,23 @@ }, "attrs": { "hashes": [ - "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", - "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.3.0" + "version": "==21.2.0" }, "certifi": { "hashes": [ - "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", - "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.12.5" + "version": "==2021.5.30" }, "chardet": { "hashes": [ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, "colorama": { @@ -343,16 +332,14 @@ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, "more-itertools": { "hashes": [ - "sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced", - "sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713" + "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", + "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" ], - "markers": "python_version >= '3.5'", - "version": "==8.7.0" + "version": "==8.8.0" }, "multidict": { "hashes": [ @@ -394,7 +381,6 @@ "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" ], - "markers": "python_version >= '3.6'", "version": "==5.1.0" }, "packaging": { @@ -402,7 +388,6 @@ "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==20.9" }, "pathspec": { @@ -417,7 +402,6 @@ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.13.1" }, "py": { @@ -425,7 +409,6 @@ "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.10.0" }, "pyparsing": { @@ -433,7 +416,6 @@ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, "pytest": { @@ -542,16 +524,14 @@ "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06", "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb" ], - "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==3.17.2" }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" + "version": "==1.16.0" }, "stix2": { "hashes": [ @@ -577,20 +557,19 @@ }, "typing-extensions": { "hashes": [ - "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", - "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", - "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" + "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", + "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", + "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" ], - "markers": "python_version < '3.8'", - "version": "==3.7.4.3" + "version": "==3.10.0.0" }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.26.4" + "version": "==1.26.5" }, "wcwidth": { "hashes": [ @@ -647,7 +626,6 @@ "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" ], - "markers": "python_version >= '3.6'", "version": "==1.6.3" } } From 7812ff51d3b3eab7942c18ae4178a031433edf12 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 2 Jun 2021 13:04:05 +0200 Subject: [PATCH 248/254] fix: FPs with Volume Shadow Copy Service Keys --- .../sysmon_volume_shadow_copy_service_keys.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml index eb8f10b6b..eb48e9352 100644 --- a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml @@ -3,6 +3,7 @@ id: 5aad0995-46ab-41bd-a9ff-724f41114971 description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. status: experimental date: 2020/10/20 +modified: 2021/06/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -15,7 +16,9 @@ logsource: detection: selection: TargetObject|contains: 'System\CurrentControlSet\Services\VSS' - condition: selection + filter: + TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' + condition: selection and not filter falsepositives: - - Unknown + - Other services accessing that key or sub keys level: high From e8ee6aec2fd690e9043df5cc30e9a79170492c57 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Wed, 2 Jun 2021 15:47:41 +0200 Subject: [PATCH 249/254] Add further detections to shadow copies deletion * Add diskshadow.exe to existing detection * Add new detection for wbadmin.exe * Fix typo in match on L31 * Add raccine refs --- .../win_shadow_copies_deletion.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 43bdfd90c..45e71b95f 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -2,14 +2,17 @@ title: Shadow Copies Deletion Using Operating Systems Utilities id: c947b146-0abc-4c87-9c64-b17e9d7274a2 status: stable description: Shadow Copies deletion using operating systems utilities -author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 +modified: 2021/06/02 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://blog.talosintelligence.com/2017/05/wannacry.html - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 + - https://github.com/Neo23x0/Raccine#the-process + - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar tags: - attack.defense_evasion - attack.impact @@ -19,15 +22,23 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\powershell.exe' - '\wmic.exe' - '\vssadmin.exe' + - '\diskshadow.exe' CommandLine|contains|all: - - shadow # will mach "delete shadows" and "shadowcopy delete" + - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete - condition: selection + selection2: + Image|endswith: + - '\wbadmin.exe' + CommandLine|contains|all: + - delete + - catalog + - quiet # will match -quiet or /quiet + condition: 1 of selection* fields: - CommandLine - ParentCommandLine From 9876643e3e155517783371b776eebd7acaa56e0b Mon Sep 17 00:00:00 2001 From: Alfie Champion Date: Wed, 2 Jun 2021 19:57:39 +0100 Subject: [PATCH 250/254] added rule for rundll32 launch of fsecure C3 --- .../process_creation_c3_load_by_rundll32.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml diff --git a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml new file mode 100644 index 000000000..f33a08e33 --- /dev/null +++ b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml @@ -0,0 +1,24 @@ +title: F-Secure C3 Load by Rundll32 +status: experimental +id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f +author: Alfie Champion (ajpc500) +date: 2021/06/02 +description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +references: + - https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12 +tags: + - attack.defense_evasion + - attack. t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartNodeRelay' + condition: selection +falsepositives: + - Unknown +level: critical From ba0f2e6b1612a57d2e7a17a5c07a33b523d6ce31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 3 Jun 2021 10:59:22 +0200 Subject: [PATCH 251/254] Add windows T1485 SDelete --- .../process_creation_SDelete.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_SDelete.yml diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_SDelete.yml new file mode 100644 index 000000000..267a31520 --- /dev/null +++ b/rules/windows/process_creation/process_creation_SDelete.yml @@ -0,0 +1,31 @@ +title: Sysinternals SDelete Delete File +id: a4824fca-976f-4964-b334-0621379e84c4 +status: experimental +author: frack113 +date: 2021/06/03 +description: Use of SDelete to erase a file not the free space +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: sdelete.exe + filter: + CommandLine|contains: + - -h + - -c + - -z + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage +level: medium From 151d120a24c92cf6b6eeb8f210dc630235e66c3d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 3 Jun 2021 12:40:55 +0200 Subject: [PATCH 252/254] Update process_creation_SDelete.yml --- .../windows/process_creation/process_creation_SDelete.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_SDelete.yml index 267a31520..78d444273 100644 --- a/rules/windows/process_creation/process_creation_SDelete.yml +++ b/rules/windows/process_creation/process_creation_SDelete.yml @@ -17,9 +17,10 @@ detection: OriginalFileName: sdelete.exe filter: CommandLine|contains: - - -h - - -c - - -z + - ' -h' + - ' -c' + - ' -z' + - ' /?' condition: selection and not filter fields: - ComputerName From 11eca86be3e31e917e97e863e89e2f7001682e33 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 3 Jun 2021 12:44:47 +0200 Subject: [PATCH 253/254] Update process_creation_c3_load_by_rundll32.yml --- .../process_creation/process_creation_c3_load_by_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml index f33a08e33..5289718b6 100644 --- a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml +++ b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml @@ -8,7 +8,7 @@ references: - https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12 tags: - attack.defense_evasion - - attack. t1218.011 + - attack.t1218.011 logsource: category: process_creation product: windows From 12c822511ed2571fc7b1087cd3a4314bd76bb054 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Thu, 3 Jun 2021 21:33:11 +0200 Subject: [PATCH 254/254] Consistency: Service File Name to ServiceFileName --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index b64055444..9834aee86 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -5,7 +5,7 @@ author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 date: 2021/05/26 -modified: 2021/06/01 +modified: 2021/06/03 tags: - attack.execution - attack.privilege_escalation @@ -20,11 +20,11 @@ detection: selection1: EventID: 7045 selection2: - Service File Name|contains|all: + ServiceFileName|contains|all: - 'ADMIN$' - '.exe' selection3: - Service File Name|contains|all: + ServiceFileName|contains|all: - '%COMSPEC%' - 'start' - 'powershell'