diff --git a/CHANGELOG.md b/CHANGELOG.md index 688155af7..2b267dfec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,34 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## 0.22.1 - 2022-09-09 + +### Fixed + +* Replaced generic fix for Splunk AND/OR precedence issue with a specific one because the initial fix broke too many + backends. Splunk queries now have generally parentheses around AND expressions, sometimes more. Use sigma-cli/pySigma + for cleaner Splunk queries. + +## 0.22 - 2022-09-08 + +### Added + +* 'windash' modifier +* DNIF backend +* Hedera backend +* StreamAlert backend +* SQLite backend can handle null values. +* Support for different Windows log sources. + +### Changed + +* Various config improvements. + +### Fixed + +* Wrapping expressions from expanding modifiers into ORed subexpressions. +* Various mapping fixes. + ## 0.21 - 2022-04-08 ### Added diff --git a/Pipfile b/Pipfile index 718c305f6..51a9e476b 100644 --- a/Pipfile +++ b/Pipfile @@ -21,6 +21,7 @@ progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" "ruamel.yaml" = "*" +termcolor = "*" [requires] python_version = "3.8" diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml new file mode 100644 index 000000000..285be837e --- /dev/null +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -0,0 +1,36 @@ +title: Win Susp Computer Name Containing Samtheadmin +id: 39698b3f-da92-4bc6-bfb5-645a98386e45 +status: experimental +description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1511760068743766026 + - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py + - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py +tags: + - cve.2021.42278 + - cve.2021.42287 + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +logsource: + category: security + product: windows +detection: + # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created) + selection1: + SamAccountName|startswith: 'SAMTHEADMIN-' + SamAccountName|endswith: '$' + selection2: + TargetUserName|startswith: 'SAMTHEADMIN-' + TargetUserName|endswith: '$' + condition: 1 of selection* +fields: + - EventID + - SamAccountName + - SubjectUserName + - TargetUserName +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index abf998846..d3d23db50 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -4,154 +4,197 @@ status: experimental description: Detects the creation of a file on disk that has an imphash of a well-known hack tool author: Florian Roth references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 date: 2022/08/24 -logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' -detection: - selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - condition: selection -fields: - - TargetFilename - - Image -falsepositives: - - Unknown -level: high +modified: 2022/09/07 tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 +logsource: + product: windows + category: create_stream_hash +definition: 'Requirements: Sysmon config with Imphash logging activated' +detection: + selection: + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + condition: selection +fields: + - TargetFilename + - Image +falsepositives: + - Unknown +level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml new file mode 100644 index 000000000..8e5e50eae --- /dev/null +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -0,0 +1,38 @@ +title: Unusual File Download from Direct IP Address +id: 025bd229-fd1f-4fdb-97ab-20006e1a5368 +status: experimental +description: Detects the download of suspicious file type from URLs with IP +author: Nasreddine Bencherchali +references: + - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md +date: 2022/09/07 +logsource: + product: windows + category: create_stream_hash +detection: + selection_domain: + Contents|contains: + - '://1' + - '://2' + - '://3' + - '://4' + - '://5' + - '://6' + - '://7' + - '://8' + - '://9' + selection_extension: + TargetFilename|contains: + - '.ps1:Zone' + - '.bat:Zone' + - '.exe:Zone' + - '.vbe:Zone' + - '.vbs:Zone' + - '.dll:Zone' + condition: all of selection* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index 85396c220..accfaf6e3 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -3,6 +3,7 @@ id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e description: Detect suspicious ldap request from non Windows application status: experimental date: 2022/08/20 +modified: 2022/09/08 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -17,6 +18,8 @@ detection: filter_defender: Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' Image|endswith: '\MsMpEng.exe' + filter_unknown: + Image: '' condition: dns_request and not 1 of filter_* falsepositives: - Programs that also lookup the observed domain diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 9becf4856..cfdf05658 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -23,7 +23,7 @@ detection: selection2: PreviousCreationUtcTime|startswith: '202' filter2: - CreationUtcTime|startswith: 202 + CreationUtcTime|startswith: '202' gen_filter_updates: - Image: - 'C:\Windows\system32\ProvTool.exe' diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_win_bloodhound_collection.yml similarity index 80% rename from rules/windows/file_event/file_event_bloodhound_collection.yml rename to rules/windows/file_event/file_event_win_bloodhound_collection.yml index 9c0684d33..3bcde4c93 100644 --- a/rules/windows/file_event/file_event_bloodhound_collection.yml +++ b/rules/windows/file_event/file_event_win_bloodhound_collection.yml @@ -8,20 +8,20 @@ references: date: 2022/08/09 modified: 2022/08/09 tags: - - attack.discovery - - attack.t1087.001 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.001 - - attack.t1069.002 - - attack.execution - - attack.t1059.001 + - attack.discovery + - attack.t1087.001 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.001 + - attack.t1069.002 + - attack.execution + - attack.t1059.001 logsource: product: windows category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '_BloodHound.zip' - '_computers.json' - '_containers.json' diff --git a/rules/windows/file_event/file_event_win_creation_system_file.yml b/rules/windows/file_event/file_event_win_creation_system_file.yml index 099155e1d..d2e7cb5ca 100755 --- a/rules/windows/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in a suspicious folder author: Sander Wiebing, Tim Shelton date: 2020/05/26 -modified: 2022/07/27 +modified: 2022/09/07 tags: - attack.defense_evasion - attack.t1036.005 @@ -31,10 +31,8 @@ detection: - '\explorer.exe' - '\taskhost.exe' - '\Taskmgr.exe' - - '\taskmgr.exe' - '\sihost.exe' - '\RuntimeBroker.exe' - - '\runtimebroker.exe' - '\smartscreen.exe' - '\dllhost.exe' - '\audiodg.exe' @@ -42,13 +40,10 @@ detection: filter1: TargetFilename|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - - 'C:\Windows\SysWow64\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' - Image|endswith: + Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' filter2: @@ -67,5 +62,6 @@ detection: fields: - Image falsepositives: - - System processes copied outside the default folder + - System processes copied outside their default folders for testing purposes + - Third party software naming their software with the same names as the processes mentioned here level: high diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml index a50faf8b5..c03a1d896 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml @@ -48,5 +48,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml index f9abb5613..fb41d165a 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml @@ -46,5 +46,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_script.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml index 654cbae90..297ecd472 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml @@ -48,5 +48,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file_event/file_event_win_susp_executable_creation.yml new file mode 100644 index 000000000..3444fe185 --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_executable_creation.yml @@ -0,0 +1,31 @@ +title: Suspicious Executable File Creation +id: 74babdd6-a758-4549-9632-26535279e654 +status: experimental +description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. +author: frack113 +references: + - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae + - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ +date: 2022/09/05 +logsource: + product: windows + category: file_event +detection: + selection_double: + TargetFilename|endswith: + - '.bat.exe' + - '.sys.exe' + selection_folder: + TargetFilename: + - 'C:\$Recycle.Bin.exe' + - 'C:\Documents and Settings.exe' + - 'C:\MSOCache.exe' + - 'C:\Recovery.exe' + - 'C:\PerfLogs.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564 diff --git a/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml new file mode 100644 index 000000000..daa4a4a85 --- /dev/null +++ b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml @@ -0,0 +1,21 @@ +title: Wmiexec Default Output File +id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb +status: experimental +description: Detects the creation of the default output filename used by the wmicexec tool +author: Nasreddine Bencherchali +date: 2022/06/02 +references: + - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ +tags: + - attack.lateral_movement + - attack.t1047 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 380927c1f..70d5d569f 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -2,8 +2,8 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: experimental description: | - Aversaries may use to interact with a remote network share using Server Message Block (SMB). - This technique is used by post-exploitation frameworks. + Aversaries may use to interact with a remote network share using Server Message Block (SMB). + This technique is used by post-exploitation frameworks. author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml new file mode 100644 index 000000000..e9f0a45d6 --- /dev/null +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -0,0 +1,22 @@ +title: SharpEvtMute EvtMuteHook Load +id: 49329257-089d-46e6-af37-4afce4290685 +status: experimental +description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs +references: + - https://github.com/bats3c/EvtMute +tags: + - attack.defense_evasion + - attack.t1562.002 +author: Florian Roth +date: 2022/09/07 +logsource: + category: image_load + product: windows +detection: + selection: + - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' + - Imphash: '330768a4f172e10acb6287b87289d83b' + condition: selection +falsepositives: + - Other DLLs with that import hash +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 799b4e99c..ef08b024f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -1,9 +1,9 @@ title: PowerShell ADRecon Execution id: bf72941a-cba0-41ea-b18c-9aca3925690d status: experimental -description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 +description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 references: - - https://github.com/sense-of-security/ADRecon + - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 tags: - attack.discovery @@ -11,7 +11,7 @@ tags: - attack.t1059.001 author: Bhabesh Raj date: 2021/07/16 -modified: 2021/10/16 +modified: 2022/09/06 logsource: product: windows category: ps_script @@ -20,6 +20,8 @@ detection: selection: ScriptBlockText|contains: - 'Function Get-ADRExcelComOb' + - 'Get-ADRGPO' + - 'Get-ADRDomainController' - 'ADRecon-Report.xlsx' #Default condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 11e8de26c..7340abc67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -17,12 +17,12 @@ logsource: detection: selection1: ScriptBlockText|contains|all: - - 'Move-Item' - - 'Cert:\LocalMachine\Root' + - 'Move-Item' + - 'Cert:\LocalMachine\Root' selection2: ScriptBlockText|contains|all: - - 'Import-Certificate' - - 'Cert:\LocalMachine\Root' + - 'Import-Certificate' + - 'Cert:\LocalMachine\Root' condition: 1 of selection* falsepositives: - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml new file mode 100644 index 000000000..9b3776bcc --- /dev/null +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -0,0 +1,34 @@ +title: SysmonEnte Usage +id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e +status: experimental +description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon +author: Florian Roth +references: + - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html + - https://github.com/codewhitesec/SysmonEnte/ + - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png +date: 2022/09/07 +modified: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + category: process_access + product: windows +detection: + selection_1: + TargetImage: 'C:\Windows\Sysmon64.exe' + GrantedAccess: '0x1400' + filter_1: + SourceImage|startswith: + - 'C:\Program Files' + - 'C:\Windows\System32\' + filter_msdefender: + SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + SourceImage|endswith: '\MsMpEng.exe' + selection_calltrace: + CallTrace: 'Ente' + condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml index 3cf033ac6..f59435e26 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml @@ -1,29 +1,31 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f status: test -description: Detects suspicious file execution by wscript and cscript +description: Detects wmiexec vbs version execution by wscript or cscript author: Florian Roth references: - - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf + - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf date: 2017/04/07 -modified: 2021/11/27 +modified: 2022/09/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - '.vbs' - - '/shell' - condition: selection + selection: + Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + CommandLine|contains|all: + - '.vbs' + - '/shell' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.execution - - attack.g0045 - - attack.t1059.005 + - attack.execution + - attack.g0045 + - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index e8169e203..2f51e4fc7 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -4,25 +4,25 @@ status: test description: Detects Hurricane Panda Activity author: Florian Roth references: - - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ + - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ date: 2019/03/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains|all: - - 'localgroup' - - 'admin' - - '/add' - - CommandLine|contains: - - '\Win64.exe' - condition: selection + selection: + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '/add' + - CommandLine|contains: + - '\Win64.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.privilege_escalation - - attack.g0009 - - attack.t1068 + - attack.privilege_escalation + - attack.g0009 + - attack.t1068 diff --git a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml index 0aeb0543b..0cb982d1b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml @@ -6,10 +6,12 @@ references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth date: 2022/08/26 +modified: 2022/09/12 logsource: category: process_creation product: windows tags: + - attack.execution - attack.t1059.001 - attack.g0069 detection: diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index 8897c3feb..5aeb7d762 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -10,7 +10,7 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 tags: - - attack.discovery + - attack.discovery - attack.t1012 - attack.defense_evasion - attack.t1036.004 @@ -25,7 +25,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'checkadmin.exe 127.0.0.1 -all' - 'netsh advfirewall firewall add rule name=powershell dir=in' - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' @@ -39,4 +39,4 @@ detection: condition: selection falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml index ed0ee3f1d..edf67e4fa 100644 --- a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml @@ -7,7 +7,7 @@ related: description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 -modified: 2021/09/01 +modified: 2022/09/07 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -25,19 +25,19 @@ logsource: detection: selection1: Image|endswith: '\WerFault.exe' - CommandLine|endswith: '\WerFault.exe' + CommandLine|endswith: 'WerFault.exe' selection2: Image|endswith: '\rundll32.exe' - CommandLine|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' selection3: Image|endswith: '\regsvcs.exe' - CommandLine|endswith: '\regsvcs.exe' + CommandLine|endswith: 'regsvcs.exe' selection4: Image|endswith: '\regasm.exe' - CommandLine|endswith: '\regasm.exe' + CommandLine|endswith: 'regasm.exe' selection5: Image|endswith: '\regsvr32.exe' - CommandLine|endswith: '\regsvr32.exe' + CommandLine|endswith: 'regsvr32.exe' condition: 1 of selection* fields: - ParentImage diff --git a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml index 7aa6fba00..a23d17ab2 100644 --- a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets author: pH-T related: - - id: 6385697e-9f1b-40bd-8817-f4a91f40508e - type: similar + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar date: 2022/05/31 tags: - attack.execution @@ -15,26 +15,26 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection + selection: + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml similarity index 51% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml rename to rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml index 0a098bb3f..07cd5caed 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml @@ -1,40 +1,45 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 +related: + - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 + type: obsoletes status: experimental -author: frack113 +author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/07/11 -description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. +modified: 2022/09/07 +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet tags: - attack.defense_evasion - - attack.collection + - attack.privilege_escalation + - attack.t1055.001 - attack.t1218.013 - - attack.t1056.004 logsource: category: process_creation product: windows detection: - selection_cli: - CommandLine|contains|all: - - ' /INJECTRUNNING' - - '.dll' # space some time in the end - selection_img: - - OriginalFileName: + selection_flag: + CommandLine|contains: ' /INJECTRUNNING ' + selection_renamed: + OriginalFileName: - 'mavinject32.exe' - 'mavinject64.exe' - - Image|endswith: # Event 4688 doesn't have the OriginalFileName field + filter_renamed: + Image|endswith: - '\mavinject32.exe' - '\mavinject64.exe' - condition: all of selection_* + condition: selection_flag or (selection_renamed and not filter_renamed) fields: - ComputerName - User - CommandLine - ParentCommandLine falsepositives: - - Unknown -level: medium + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml new file mode 100644 index 000000000..27af17f89 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml @@ -0,0 +1,30 @@ +title: Email Exifiltration Via Powershell +id: 312d0384-401c-4b8b-abdf-685ffba9a332 +status: experimental +description: Detects email exfiltration via powershell cmdlets +author: Nasreddine Bencherchali (rule), Azure-Sentinel (idea) +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains|all: + - 'Add-PSSnapin' + - 'Get-Recipient' + - '-ExpandProperty' + - 'EmailAddresses' + - 'SmtpAddress' + - '-hidetableheaders' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml index ea0687c01..dbfc4fd4b 100644 --- a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml @@ -4,183 +4,189 @@ description: Detects the use of Windows hacktools based on their import hash (im status: experimental author: Florian Roth references: - - Internal Research + - Internal Research date: 2022/03/04 -modified: 2022/08/20 +modified: 2022/09/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - condition: selection + selection: + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + condition: selection falsepositives: - - Legitimate use of one of these tools -level: high \ No newline at end of file + - Legitimate use of one of these tools +level: high diff --git a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml new file mode 100644 index 000000000..d4b9155c8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml @@ -0,0 +1,32 @@ +title: Root Certificate Installed From Susp Locations +id: 5f6a601c-2ecb-498b-9c33-660362323afa +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Import-Certificate' + - ' -File-Path ' + - 'Cert:\LocalMachine\Root' + CommandLine|contains: + - '\AppData\Local\Temp\' + - 'C:\Windows\TEMP\' + - '\Desktop\' + - '\Downloads\' + - '\Perflogs\' + - 'C:\Users\Public\' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml new file mode 100644 index 000000000..4abb41462 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -0,0 +1,70 @@ +title: Accessing WinAPI Via CommandLine +id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 +related: + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: derived +status: experimental +description: Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec +author: Nasreddine Bencherchali +date: 2022/09/06 +references: + - https://twitter.com/m417z/status/1566674631788007425 +tags: + - attack.execution + - attack.t1106 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' WaitForSingleObject ' + - ' QueueUserApc ' + - ' RtlCreateUserThread ' + - ' OpenProcess ' + - ' VirtualAlloc ' + - ' VirtualFree ' + - ' WriteProcessMemory ' + - ' CreateUserThread ' + - ' CloseHandle ' + - ' GetDelegateForFunctionPointer ' + - ' CreateThread ' + - ' memcpy ' + - ' LoadLibrary ' + - ' GetModuleHandle ' + - ' GetProcAddress ' + - ' VirtualProtect ' + - ' FreeLibrary ' + - ' ReadProcessMemory ' + - ' CreateRemoteThread ' + - ' AdjustTokenPrivileges ' + - ' WriteInt32 ' + - ' OpenThreadToken ' + - ' PtrToString ' + - ' FreeHGlobal ' + - ' ZeroFreeGlobalAllocUnicode ' + - ' OpenProcessToken ' + - ' GetTokenInformation ' + - ' SetThreadToken ' + - ' ImpersonateLoggedOnUser ' + - ' RevertToSelf ' + - ' GetLogonSessionData ' + - ' CreateProcessWithToken ' + - ' DuplicateTokenEx ' + - ' OpenWindowStation ' + - ' OpenDesktop ' + - ' MiniDumpWriteDump ' + - ' AddSecurityPackage ' + - ' EnumerateSecurityPackages ' + - ' GetProcessHandle ' + - ' DangerousGetHandle ' + - ' kernel32 ' + - ' Advapi32 ' + - ' msvcrt ' + - ' ntdll ' + - ' user32 ' # FP with chocolatey + - ' secur32 ' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 6d2b0f135..010f2b9c5 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -1,27 +1,31 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f status: experimental -description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 author: Florian Roth references: - - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia date: 2022/02/25 -modified: 2022/08/13 +modified: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\policydefinitions\postgresql.exe' - selection2: - - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\\\127.0.0.1\ADMIN$\__16' - - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - '\winupd.log full' - condition: 1 of selection* + selection1: + Image|endswith: '\policydefinitions\postgresql.exe' + selection2: + - CommandLine|contains: + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' + condition: 1 of selection* falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 46f530fb0..7b5553b72 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -3,7 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2022/08/13 +modified: 2022/09/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -25,7 +25,7 @@ detection: condition: all of selection* falsepositives: - Some rare backup scenarios -level: medium +level: high tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 61ff3daf2..699f0e26e 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -4,36 +4,36 @@ status: test description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 date: 2019/01/16 modified: 2022/03/05 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - select_pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\\\.\\pipe\\' - select_rundll32_dash1: - Image|endswith: '\rundll32.exe' - CommandLine|endswith: - - '.dat,#1' - - '.dat #1' # Sysmon removes comma - select_perfc_keyword: - - '\perfc.dat' - condition: 1 of select* + select_pipe_com: + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\\\.\\pipe\\' + select_rundll32_dash1: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: + - '.dat,#1' + - '.dat #1' # Sysmon removes comma + select_perfc_keyword: + - '\perfc.dat' + condition: 1 of select* fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Admin activity + - Admin activity level: critical tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.t1070.001 - - attack.credential_access - - attack.t1003.001 - - car.2016-04-002 + - attack.defense_evasion + - attack.t1218.011 + - attack.t1070.001 + - attack.credential_access + - attack.t1003.001 + - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml deleted file mode 100644 index 632e3ef71..000000000 --- a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: MavInject Process Injection -id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 -status: stable -description: Detects process injection using the signed Windows tool Mavinject32.exe -author: Florian Roth -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 -date: 2018/12/12 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: ' /INJECTRUNNING ' - condition: selection -falsepositives: - - Unknown -level: high -tags: - - attack.t1055.001 - - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 8dedecc69..8144e75f1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -6,7 +6,9 @@ author: Nasreddine Bencherchali references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ date: 2022/09/01 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -28,6 +30,7 @@ detection: - ' Administratör ' # Swedish - ' Administrator ' # English - ' guest ' + - ' DefaultAccount ' # The cases below are for when an attacker requests the net command via 'cmd /c....' # First in double quotes - ' "Järjestelmänvalvoja" ' # Finish @@ -38,6 +41,7 @@ detection: - ' "Administratör" ' # Swedish - ' "Administrator" ' # English - ' "guest" ' + - ' "DefaultAccount" ' # Second in single quotes - " 'Järjestelmänvalvoja' " # Finish - " 'Rendszergazda' " # Hungarian @@ -47,6 +51,7 @@ detection: - " 'Administratör' " # Swedish - " 'Administrator' " # English - " 'guest' " + - " 'DefaultAccount' " filter: CommandLine|contains|all: - 'guest' diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index 7a57ffdbf..d67432ef9 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 -modified: 2022/09/02 +modified: 2022/09/09 references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ @@ -33,11 +33,13 @@ detection: CommandLine|contains: # Add more groups for other languages - 'domain admins' - - ' administrators' - - ' administrateurs' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - 'enterprise admins' - 'Exchange Trusted Subsystem' - 'Remote Desktop Users' + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" - ' /do' # short for domain # Covers 'accounts' flag selection_accounts_root: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml index f2179507f..a0297ae22 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml @@ -13,16 +13,16 @@ logsource: detection: selection1: CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 + - 'netsh' + - 'firewall add portopening' + - 'tcp 3389' selection2: CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 + - 'netsh' + - 'advfirewall firewall add rule' + - 'action=allow' + - 'protocol=TCP' + - 'localport=3389' condition: 1 of selection* falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml new file mode 100644 index 000000000..9f3f670c7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -0,0 +1,34 @@ +title: Node.exe Process Abuse +id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd +status: experimental +description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return + - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ + - https://nodejs.org/api/cli.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1127 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\node.exe' + CommandLine|contains: + - ' -e ' + - ' --eval ' + # Add more pattern of abuse as actions + action_reverse_shell: + CommandLine|contains|all: + - '.exec(' + - 'net.socket' + - '.connect' + - 'child_process' + condition: selection and 1 of action_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml new file mode 100644 index 000000000..5d1d84e07 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -0,0 +1,29 @@ +title: Nslookup PowerShell Download +id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 +status: experimental +description: Detects usage of powershell in conjunction with nslookup as a mean of download. +author: Nasreddine Bencherchali +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_cli: + CommandLine|contains|all: + - 'powershell .' + - 'nslookup' + - ' -q=txt ' + selection_img: + ParentImage|endswith: '\powershell.exe' + Image|contains: '\nslookup.exe' + CommandLine|contains: + - ' -q=txt ' + - ' -querytype=txt ' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml new file mode 100644 index 000000000..17d390701 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -0,0 +1,22 @@ +title: Nslookup PwSh Download Cradle +id: 72671447-4352-4413-bb91-b85569687135 +status: experimental +description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] +author: Zach Mathis (@yamatosecurity) +date: 2022/09/06 +tags: + - attack.command_and_control + - attack.t1105 + - attack.t1071.004 +references: + - https://twitter.com/alh4zr3d/status/1566489367232651264 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\powershell.exe' + Image|contains: nslookup + CommandLine|contains: '=txt ' + condition: selection +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 76b3888e5..6fe080f91 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/12 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '\veam.backup.shell.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml new file mode 100644 index 000000000..96c99cdd5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml @@ -0,0 +1,32 @@ +title: Quarks PwDump Usage +id: 0685b176-c816-4837-8e7b-1216f346636b +status: experimental +description: Detects usage of the Quarks PwDump tool via commandline arguments +author: Nasreddine Bencherchali +references: + - https://github.com/quarkslab/quarkspwdump + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\QuarksPwDump.exe' + selection_cli: + CommandLine: + - ' -dhl' + - ' --dump-hash-local' + - ' -dhdc' + - ' --dump-hash-domain-cached' + - ' --dump-bitlocker' + - ' -dhd ' + - ' --dump-hash-domain ' + - '--ntds-file' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high +tags: + - attack.credential_access + - attack.t1003.002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml similarity index 54% rename from rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml rename to rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml index 040477109..31b705f94 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml @@ -1,21 +1,23 @@ title: Suspicious Redirection to Local Admin Share id: ab9e3b40-0c85-4ba1-aede-455d226fd124 status: experimental -description: Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers +description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers author: Florian Roth date: 2022/01/16 -modified: 2022/02/01 +modified: 2022/09/09 references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains: - - '> \\\\127.0.0.1\\admin$' - - '> \\\\localhost\\admin$' - condition: selection + selection_redirect: + CommandLine|contains: '>' + selection_share: + - '\\\\127.0.0.1\\admin$\\' + - '\\\\localhost\\admin$\\' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 59ecd7e3a..b99236f7c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 -modified: 2022/08/06 +modified: 2022/09/09 logsource: product: windows category: process_creation @@ -15,7 +15,7 @@ detection: Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - - '\SYSTEM\CurrentControlSet\Control\Terminal Server' + - '\CurrentControlSet\Control\Terminal Server' - 'REG_DWORD' - ' /f' selection_values_1: @@ -34,6 +34,7 @@ detection: - 'TSAdvertise' - 'AllowTSConnections' - 'fSingleSessionPerUser' + - 'fDenyTSConnections' condition: selection_cli and 1 of selection_values_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml new file mode 100644 index 000000000..b7aca4c24 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml @@ -0,0 +1,31 @@ +title: Renamed Sysinternals Sdelete Usage +id: c1d867fe-8d95-4487-aab4-e53f2d339f90 +description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +status: experimental +author: Florian Roth +date: 2022/09/06 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'sdelete.exe' + filter: + Image|endswith: + - '\sdelete.exe' + - '\sdelete64.exe' + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator usage +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml new file mode 100644 index 000000000..9e1c9e924 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -0,0 +1,27 @@ +title: Renamed or Portable Vmnat.exe +id: 7b4f794b-590a-4ad4-ba18-7964a2832205 +status: experimental +description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1525901219247845376 +tags: + - attack.defense_evasion + - attack.t1574.002 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'vmnat.exe' + filter_rename: + Image|endswith: 'vmnat.exe' + filter_portable: + Image: + - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' + - 'C:\Windows\SysWOW64\vmnat.exe' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sdelete.yml index b235477bd..0846681d4 100644 --- a/rules/windows/process_creation/proc_creation_win_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sdelete.yml @@ -3,8 +3,8 @@ id: a4824fca-976f-4964-b334-0621379e84c4 status: experimental author: frack113 date: 2021/06/03 -modified: 2022/08/13 -description: Use of SDelete to erase a file not the free space +modified: 2022/09/06 +description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md tags: @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - System administrator Usage -level: medium + - System administrator usage +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml new file mode 100644 index 000000000..a28f7d2c3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -0,0 +1,32 @@ +title: SharpChisel Usage +id: cf93e05e-d798-4d9e-b522-b0248dc61eaf +status: experimental +description: Detects usage of the Sharp Chisel via the commandline arguments +author: Nasreddine Bencherchali +references: + - https://github.com/shantanu561993/SharpChisel + - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\SharpChisel.exe' + selection_client_server: + CommandLine|contains: + - 'exe client ' + - 'exe server ' + selection_flags: + CommandLine|contains: + - ' --socks5' + - ' --reverse' + - ' r:' + - ':127.0.0.1:' + condition: 1 of selection_* +falsepositives: + - Some flalse positives may occure with other tools with similar commandlines +level: medium +tags: + - attack.command_and_control + - attack.t1090.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml index ccce2dfb8..70609b700 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml @@ -1,9 +1,13 @@ title: Add User to Local Administrators id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 +related: + - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e + type: similar status: experimental -description: Detects suspicious command line that adds an account to the local administrators group -author: Florian Roth +description: Detects suspicious command line that adds an account to the local administrators/administrateurs group +author: Florian Roth, Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/09 references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 logsource: @@ -13,11 +17,18 @@ tags: - attack.persistence - attack.t1098 detection: - selection: - CommandLine|contains|all: - - 'localgroup administrators ' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' - ' /add' - condition: selection + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: + - ' administrators ' + - ' administrateur' # Typo without an 'S' so we catch both + condition: all of selection_* falsepositives: - Administrative activity level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml index 9a00f386a..fb61b61ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml @@ -1,28 +1,38 @@ title: Suspicious Add User to Remote Desktop Users Group id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e +related: + - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 + type: similar status: experimental description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group author: Florian Roth date: 2021/12/06 +modified: 2022/09/09 references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ tags: - attack.persistence + - attack.lateral_movement - attack.t1133 - attack.t1136.001 - - attack.lateral_movement - attack.t1021.001 logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - 'net ' - - 'localgroup' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: - 'Remote Desktop Users' - - '/add' - condition: selection + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml index 4a1fc1312..e5b7452db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell 'Invoke-' call author: pH-T related: - - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: similar + - id: fd6e2919-3936-40c9-99db-0aa922c356f7 + type: similar date: 2022/05/20 tags: - attack.execution @@ -15,32 +15,32 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke- - - 'SQBuAHYAbwBrAGUALQ' - - 'kAbgB2AG8AawBlAC0A' - - 'JAG4AdgBvAGsAZQAtA' - filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection and not 1 of filter* + selection: + CommandLine|contains: + # Invoke- + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' + filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection and not 1 of filter* fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml index 5b184ccfb..ff0b5b957 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html date: 2022/07/14 -modified: 2022/08/04 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -35,6 +35,7 @@ detection: - 'dllhost' - 'cmd ' - 'cmd.exe /c' + - 'cmd.exe /k' - 'rundll32' # Add more suspicious paths - 'C:\Users\Public' diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 42b539ce4..0775c1450 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -4,63 +4,63 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration status: experimental author: Florian Roth references: - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - - https://pentestlab.blog/tag/ntds-dit/ - - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 - - https://github.com/zcgonvh/NTDSDumpEx - - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ + - https://pentestlab.blog/tag/ntds-dit/ + - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 + - https://github.com/zcgonvh/NTDSDumpEx + - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 + - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 date: 2022/03/11 tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection_tool: - # https://github.com/zcgonvh/NTDSDumpEx - - Image|endswith: - - '\NTDSDump.exe' - - '\NTDSDumpEx.exe' - - CommandLine|contains|all: - # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv - - 'ntds.dit' - - 'system.hiv' - - CommandLine|contains: 'NTDSgrab.ps1' - selection_oneliner_1: - # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" - CommandLine|contains|all: - - 'ac i ntds' - - 'create full' - selection_onliner_2: - # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit - CommandLine|contains|all: - - '/c copy ' - - '\windows\ntds\ntds.dit' - selection_powershell: - CommandLine|contains|all: - - 'powershell' - - 'ntds.dit' - set1_selection_ntds_dit: - CommandLine|contains: 'ntds.dit' - set1_selection_image_folder: - - ParentImage|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - - Image|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - condition: 1 of selection* or all of set1* + selection_tool: + # https://github.com/zcgonvh/NTDSDumpEx + - Image|endswith: + - '\NTDSDump.exe' + - '\NTDSDumpEx.exe' + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - 'ntds.dit' + - 'system.hiv' + - CommandLine|contains: 'NTDSgrab.ps1' + selection_oneliner_1: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + CommandLine|contains|all: + - 'ac i ntds' + - 'create full' + selection_onliner_2: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + CommandLine|contains|all: + - '/c copy ' + - '\windows\ntds\ntds.dit' + selection_powershell: + CommandLine|contains|all: + - 'powershell' + - 'ntds.dit' + set1_selection_ntds_dit: + CommandLine|contains: 'ntds.dit' + set1_selection_image_folder: + - ParentImage|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + - Image|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: 1 of selection* or all of set1* falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_as_system.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_renamed.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_renamed.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index e0764e923..e8fa9ebea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -1,13 +1,13 @@ -title: Reg Add Suspicious Path To AppDataLow +title: Reg Add Suspicious Paths id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 status: experimental -description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign +description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md -author: frack113 +author: frack113, Nasreddine Bencherchali date: 2022/08/19 -modified: 2022/08/20 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -17,13 +17,16 @@ detection: - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: - - '\Software\AppDataLow\Software\Microsoft\' - - '\Software\Policies\Microsoft\Windows\OOBE' - - '\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + # Add more suspicious registry locations below + - '\AppDataLow\Software\Microsoft\' + - '\Policies\Microsoft\Windows\OOBE' + - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + - '\CurrentControlSet\Control\SecurityProviders\WDigest' + - '\Microsoft\Windows Defender\' condition: all of selection_* falsepositives: - - Legitimate use -level: medium + - Rare legitimate add to registry via cli (to these locations) +level: high tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml index 791985d1a..31d6d74ac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml @@ -1,7 +1,7 @@ title: Suspicious Reg Add BitLocker id: 0e0255bf-2548-47b8-9582-c0955c9283f5 status: experimental -description: Suspicious add key for BitLocker +description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ tags: @@ -9,19 +9,18 @@ tags: - attack.t1486 author: frack113 date: 2021/11/15 -modified: 2022/08/05 +modified: 2022/09/09 logsource: category: process_creation product: windows detection: - set: + selection: CommandLine|contains|all: - 'REG' - 'ADD' - '\SOFTWARE\Policies\Microsoft\FVE' - '/v' - '/f' - key: CommandLine|contains: - 'EnableBDEWithNoTPM' - 'UseAdvancedStartup' @@ -31,7 +30,7 @@ detection: - 'RecoveryKeyMessageSource' - 'UseTPMPIN' - 'RecoveryKeyMessage' - condition: set and key + condition: selection falsepositives: - - Unknown -level: medium + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml new file mode 100644 index 000000000..aa3f20a37 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -0,0 +1,36 @@ +title: Delete Important Scheduled Task +id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 +related: + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: derived +status: experimental +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +author: Nasreddine Bencherchali +references: + - Internal Research +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + schtasks_exe: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/delete' + - '/tn' + CommandLine|contains: + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: all of schtasks_* +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml new file mode 100644 index 000000000..f36952ecd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml @@ -0,0 +1,25 @@ +title: Delete All Scheduled Tasks +id: 220457c1-1c9f-4c2e-afe6-9598926222c1 +status: experimental +description: Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - ' /delete ' + - '/tn \*' + - ' /f' + condition: selection +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 2abc0aaa4..e46a19f3b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -1,7 +1,7 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental -description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc. +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities author: frack113, Nasreddine Bencherchali references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task @@ -19,15 +19,15 @@ detection: - '/Change' - '/TN' - '/disable' - #split to add other CommandLine|contains: - - 'Microsoft\Windows\SystemRestore\SR' - - 'Microsoft\Windows\Windows Defender\' - - 'Microsoft\Windows\BitLocker' - - 'Microsoft\Windows\WindowsBackup\' - - 'Microsoft\Windows\WindowsUpdate\' - - 'Microsoft\Windows\UpdateOrchestrator\' - - 'Windows\ExploitGuard' + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' condition: all of schtasks_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml index e34973df4..6ffa9e601 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -1,15 +1,19 @@ -title: Suspicious Schtasks Schedule Type -id: 7a02e22e-b885-4404-b38b-1ddc7e65258a -description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +title: Suspicious Schtasks Schedule Types +id: 24c8392b-aa3c-46b7-a545-43f71657fe98 +related: + - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a + type: similar +description: Detects scheduled task creations or modification on a suspicious schedule type status: experimental references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html tags: - attack.execution - attack.t1053.005 author: Nasreddine Bencherchali -date: 2022/08/31 +date: 2022/09/09 logsource: product: windows category: process_creation @@ -23,12 +27,12 @@ detection: - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' - selection_privs: + filter_privs: CommandLine|contains: - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - 'HIGHEST' - condition: all of selection_* + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unknown + - Legitmate processes that run at logon. Filter according to your environment level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml new file mode 100644 index 000000000..22eb46376 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml @@ -0,0 +1,37 @@ +title: Suspicious Schtasks Schedule Type With High Privileges +id: 7a02e22e-b885-4404-b38b-1ddc7e65258a +related: + - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 + type: similar +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +status: experimental +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +tags: + - attack.execution + - attack.t1053.005 +author: Nasreddine Bencherchali +date: 2022/08/31 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_time: + CommandLine|contains: + - ' ONLOGON ' + - ' ONSTART ' + - ' ONCE ' + - ' ONIDLE ' + selection_privs: + CommandLine|contains: + - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + - 'HIGHEST' + condition: all of selection_* +falsepositives: + - Some installers were seen using this method of creation unfortunately. Filter them in your environment +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml new file mode 100644 index 000000000..878656d6a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml @@ -0,0 +1,25 @@ +title: SharpEvtMute EvtMuteHook Load +id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c +status: experimental +description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs +references: + - https://github.com/bats3c/EvtMute +author: Florian Roth +date: 2022/09/07 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\SharpEvtMute.exe' + - Description: 'SharpEvtMute' + - CommandLine|contains: + - '--Filter "rule ' + - '--Encoded --Filter \"' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index 6113dbc86..e9ec591cf 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2022/07/14 +modified: 2022/09/07 tags: - attack.defense_evasion - attack.t1036 @@ -69,7 +69,7 @@ detection: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - - 'C:\avast! sandbox' + # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - Image: 'C:\Windows\explorer.exe' condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml new file mode 100644 index 000000000..663102824 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -0,0 +1,30 @@ +title: User Discovery Via Get-ADUser Cmdlet +id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +status: experimental +description: Detects usage of the Get-ADUser cmdlet to collect user information +author: Nasreddine Bencherchali +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains|all: + - 'Get-ADUser ' + - ' -Filter \*' + condition: all of selection_* +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: medium +tags: + - attack.discovery + - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml new file mode 100644 index 000000000..021e770a3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -0,0 +1,28 @@ +title: Wevtutil Recon +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +status: experimental +description: Detects usage of the wevtutil utility to perform reconnaissance +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.discovery +logsource: + category: process_creation + product: windows +detection: + selection_cli: + Image|endswith: '\wevtutil.exe' + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_logs: + CommandLine|contains: + # Add more event log channels that are interesting for attackers + - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + condition: all of selection_* +falsepositives: + - Legitmate usage of the utility by administrators to query the event log +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml new file mode 100644 index 000000000..645bf62ec --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -0,0 +1,27 @@ +title: Suspicious Get Local Groups Information with WMIC +id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f +status: experimental +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ +author: Nasreddine Bencherchali +date: 2022/09/08 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_cli: + CommandLine|contains|all: + - ' computersystem ' + - ' get ' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.execution + - attack.t1047 diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 0e70d3dfd..c275f908c 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -16,7 +16,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains|all: + TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' - '\Control\Lsa' @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 18f83195a..b1a0279f3 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,12 +1,16 @@ -title: SilentProcessExit Monitor Registrytion for LSASS +title: SilentProcessExit Monitor Registration for LSASS id: 55e29995-75e7-451a-bef0-6225e2f13597 -description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory +related: + - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a + type: similar +description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process status: experimental author: Florian Roth references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2021/02/26 +modified: 2022/09/07 tags: - attack.credential_access - attack.t1003.007 @@ -14,9 +18,9 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' condition: selection falsepositives: - - Unknown -level: critical \ No newline at end of file + - Unlikely +level: critical diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index bf9e046d0..ad5a53caa 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/08/23 +modified: 2022/09/06 logsource: category: registry_set product: windows @@ -98,7 +98,9 @@ detection: - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}' - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}' filter_onedrive: - Details|startswith: 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' + Details|startswith: + - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' + - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' filter_python: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}' diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index b7cf6a8f1..5e3e00f86 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -3,7 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83 description: Detects the modification of the registry to disable a system restore on the computer author: frack113 date: 2022/04/04 -modified: 2022/06/26 +modified: 2022/09/09 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry @@ -13,9 +13,9 @@ logsource: detection: selection: EventType: Setvalue - TargetObject|startswith: - - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' + TargetObject|contains: + - '\Policies\Microsoft\Windows NT\SystemRestore' + - '\Microsoft\Windows NT\CurrentVersion\SystemRestore' TargetObject|endswith: - DisableConfig - DisableSR diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index a0d67a125..04c010857 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/08/26 +modified: 2022/09/08 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -27,6 +27,10 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' + filter_empty: + Image: + - '' + - null condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 3c0451ff3..5fe588e2a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -2,6 +2,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability date: 2022/06/15 +modified: 2022/09/09 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw @@ -12,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' + TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' Details: 'DWORD (0x00000001)' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index ec2ae7a02..1837b12e6 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -1,35 +1,35 @@ title: GlobalFlags Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 status: test -description: Detects persistence using GlobalFlags in image file executiobn options +description: Detects persistence using GlobalFlags in image file execution options author: Karneades, Jonhnathan Ribeiro references: - - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 -modified: 2022/03/26 +modified: 2022/09/07 logsource: - category: registry_set - product: windows + category: registry_set + product: windows detection: - selection_reg1: - TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - selection_reg2: - - TargetObject|contains|all: - - '\Image File Execution Options\' - - '\GlobalFlag' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\ReportingMode' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\MonitorProcess' - condition: selection_reg1 and selection_reg2 + selection_reg1: + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\' + selection_reg2: + - TargetObject|contains|all: + - '\Image File Execution Options\' + - '\GlobalFlag' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\ReportingMode' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\MonitorProcess' + condition: all of selection_* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.privilege_escalation - - attack.persistence - - attack.defense_evasion - - attack.t1546.012 - - car.2013-01-002 + - attack.privilege_escalation + - attack.persistence + - attack.defense_evasion + - attack.t1546.012 + - car.2013-01-002 diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 684ed8672..d96729b30 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -18,7 +18,7 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower' - - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' Details: 'DWORD (0x00000001)' selection_set_0: EventType: SetValue diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 74a990b86..8da757bce 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -21,7 +21,7 @@ detection: - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\' - - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\' + - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\' TargetObject|endswith: '\Blob' diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 8766c4a55..8d398a926 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -1,4 +1,4 @@ -title: SilentProcessExit Monitor Registrytion +title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process status: experimental diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml new file mode 100644 index 000000000..4fb70441a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -0,0 +1,22 @@ +title: Winlogon AllowMultipleTSSessions Enable +id: f7997770-92c3-4ec9-b112-774c4ef96f96 +description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users +author: Nasreddine Bencherchali +date: 2022/09/09 +status: experimental +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions' + Details|endswith: DWORD (0x00000001) + condition: selection +falsepositives: + - Legitmate use of the multi session functionality +level: medium +tags: + - attack.persistence diff --git a/tests/test-base64offset-all.yml b/tests/test-base64offset-all.yml new file mode 100644 index 000000000..9d23c8f65 --- /dev/null +++ b/tests/test-base64offset-all.yml @@ -0,0 +1,10 @@ +title: Testrule +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|base64offset|contains|all: + - foo + - bar + condition: selection \ No newline at end of file diff --git a/tests/test-windash-all.yml b/tests/test-windash-all.yml new file mode 100644 index 000000000..5335a1fd5 --- /dev/null +++ b/tests/test-windash-all.yml @@ -0,0 +1,10 @@ +title: Testrule +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|windash|contains|all: + - -foo-1 -bar-2 -bla-3 + - -foo-bar + condition: selection \ No newline at end of file diff --git a/tools/README.md b/tools/README.md index 5742d6077..946b38aa8 100644 --- a/tools/README.md +++ b/tools/README.md @@ -8,6 +8,8 @@ This folder contains libraries and the following command line tools: # Sigmac +Sigmac will be deprecated by the end of 2022 in favour of [sigma-cli](https://github.com/SigmaHQ/sigma-cli) and [pySigma](https://github.com/SigmaHQ/pySigma). Please stop contributing backends to this tool. Limited support is offered until the end of 2023, especially for backends that haven't been migrated yet. + The Sigmac is one of the most important files, as this is what sets the correct fields that your backend/database will use after being translated from the (original) log source's field names. Please read below to understand how a SIGMAC is constructed. Additionally, see [Choosing the Right Sigmac](#choosing-the-right-sigmac) for an idea of which file and command line options (if applicable) that will best suite your environment. diff --git a/tools/setup.py b/tools/setup.py index dd05b70e6..c70d80d28 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.21.0', + version='0.22.1', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index c12face60..62351e838 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -21,6 +21,7 @@ import yaml import re from sigma.backends.exceptions import NotSupportedError +from sigma.parser.condition import ConditionOR, NodeSubexpression from .mixins import RulenameCommentMixin, QuoteCharMixin from sigma.parser.modifiers.base import SigmaTypeModifier @@ -328,6 +329,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: return self.nullExpression % (transformed_fieldname, ) + elif isinstance(value, NodeSubexpression): + return self.generateSubexpressionNode(value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index ca294f5c3..7d8ef1eb5 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -48,6 +48,9 @@ class SplunkBackend(SingleTextQueryBackend): raise TypeError("List values must be strings or numbers") return "(" + (" OR ".join(['%s=%s' % (key, self.generateValueNode(item)) for item in value])) + ")" + def generateANDNode(self, node): + return "(" + super().generateANDNode(node) + ")" + def generateAggregation(self, agg): if agg == None: return "" diff --git a/tools/sigma/parser/modifiers/mixins.py b/tools/sigma/parser/modifiers/mixins.py index 97f8ad87c..302d722de 100644 --- a/tools/sigma/parser/modifiers/mixins.py +++ b/tools/sigma/parser/modifiers/mixins.py @@ -14,6 +14,9 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . +from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression + + class ListOrStringModifierMixin(object): """ Definitions and convenience methods for modifiers that can be applied to lists and strings. @@ -28,21 +31,32 @@ class ListOrStringModifierMixin(object): valid_input_types = (list, tuple, str, ) def apply(self): - if type(self.value) in (list, tuple, ): - return self.apply_list() + if isinstance(self.value, (list, tuple, ConditionBase, NodeSubexpression)): + return self.apply_list(self.value) else: return self.apply_str(self.value) - def apply_list(self): + def apply_list(self, l): """Method is called if modifier value contains a list""" - l = [ self.apply_str(val) for val in self.value ] - rl = list() - for i in l: - if type(i) in { list, tuple, set }: - rl.extend(i) - else: - rl.append(i) - return rl + if isinstance(l, (list, tuple)): + l = [ + self.apply_str(v) + if isinstance(v, str) + else self.apply_list(v) + for v in l ] + rl = list() + for i in l: + if type(i) in { list, tuple, set }: + rl.extend(i) + else: + rl.append(i) + return rl + elif isinstance(l, NodeSubexpression): + return NodeSubexpression(self.apply_list(l.items)) + elif isinstance(l, ( ConditionOR, ConditionAND )): + cond = l.__class__() + cond.items = self.apply_list(l.items) + return cond def apply_str(self, val : str): """Method is called if modifier input value contains a string or once for each list element""" diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 8af354176..8a5267999 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -14,9 +14,10 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . +import re from .base import SigmaTransformModifier from .mixins import ListOrStringModifierMixin -from sigma.parser.condition import ConditionAND +from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression from base64 import b64encode class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): @@ -24,14 +25,17 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): identifier = "contains" active = True - def apply_str(self, val : str): - if not val.startswith("*"): - val = "*" + val - if not val.endswith("*"): - if val.endswith("\\"): - val += "\\*" - else: - val += "*" + def apply_str(self, val): + try: + if not val.startswith("*"): + val = "*" + val + if not val.endswith("*"): + if val.endswith("\\"): + val += "\\*" + else: + val += "*" + except AttributeError: + pass return val class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): @@ -61,7 +65,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier): """Override default OR-linking behavior for list with AND-linking of all list values""" identifier = "all" active = True - valid_input_types = (list, tuple, ) + valid_input_types = (list, tuple, ConditionBase) def apply(self): vals = super().apply() @@ -93,7 +97,7 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie def apply_str(self, val): if type(val) == str: val = val.encode() - return [ + items = [ b64encode( i * b' ' + val )[ @@ -102,6 +106,46 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie ].decode() for i in range(3) ] + cond = ConditionOR() + cond.items = items + return NodeSubexpression(cond) + +class SigmaWindashModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """ + Expand parameter characters / and - that are often interchangeable in Windows into the other + form if it appears between word boundaries. E.g. in -param-name the first dash will be expanded + into /param-name while the second dash is left untouched. + """ + identifier = "windash" + active = True + valid_input_types = ListOrStringModifierMixin.valid_input_types + + def expand_dashes(self, val, locations, offset=0): + i = locations[0] + if len(locations) == 1: + subexpansions = [ val[i + 1:]] + else: + subexpansions = self.expand_dashes(val, locations[1:], i + 1) + + return [ + val[offset:i] + expanded + subexpansion + for expanded in ("-", "/") + for subexpansion in subexpansions + ] + + def apply_str(self, val): + dash_locations = [ + m.start() + for m in re.finditer(re.compile("\\B[-/]\\b"), val) + ] + if dash_locations == []: + return val + else: + items = self.expand_dashes(val, dash_locations) + + cond = ConditionOR() + cond.items = items + return NodeSubexpression(cond) class SigmaEncodingBaseModifier(ListOrStringModifierMixin, SigmaTransformModifier): """ diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 8aae2d3fd..8c5f2e62f 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -1,7 +1,6 @@ #!/usr/bin/env python3 # A Sigma to SIEM converter # Copyright 2016-2017 Thomas Patzke, Florian Roth - # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation, either version 3 of the License, or @@ -37,6 +36,7 @@ import codecs import copy import time import datetime +from termcolor import colored sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach()) @@ -64,6 +64,12 @@ ERR_FULL_FIELD_MATCH = 90 # Allowed fields in output allowed_fields = ["title", "id", "status", "description", "author", "references", "fields", "falsepositives", "level", "tags", "filename"] +deprecation_warning_message = colored("Sigmac will be deprecated by the end of 2022", + "red") + " in favour of sigma-cli and pySigma. Please " + colored("stop contributing backends", "red") + \ + " to this tool. Limited support is offered until the end of 2023, " \ + "especially for backends that haven't been migrated yet.\n " + + def alliter(path): for sub in path.iterdir(): if sub.name.startswith("."): @@ -96,7 +102,7 @@ class ActionBackendHelp(argparse.Action): def set_argparser(): """Sets up and parses the command line arguments for Sigmac. Returns the argparser""" - argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.") + argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.\n" + deprecation_warning_message, formatter_class=argparse.RawTextHelpFormatter) argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)") argparser.add_argument("--filter", "-f", help=""" Define comma-separated filters that must match (AND-linked) to rule to be processed. @@ -109,14 +115,14 @@ def set_argparser(): Multiple log source specifications are AND linked. Special filter: inlastday=X rule create or modified in the last X days period - tlp=valid_tlp if rule have no tlp set to WHITE + tlp=valid_tlp if rule have no tlp set to WHITE """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--lists-files-after-date", "-L",help="List yml files which is modified/created after the date (Example of the date: 2022/02/01).") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')") - argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). + argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value. available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) @@ -132,7 +138,7 @@ def set_argparser(): argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose") argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output") argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)") - + return argparser def list_backends(debug): @@ -201,6 +207,7 @@ def main(): sys.exit(0) elif len(cmdargs.inputs) == 0: print("Nothing to do!") + print(deprecation_warning_message) argparser.print_usage() sys.exit(0) @@ -264,7 +271,7 @@ def main(): exit(ERR_CONFIG_PARSING) if cmdargs.output_fields: - if cmdargs.output_format: + if cmdargs.output_format: output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields if output_fields_rejected: print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr) @@ -277,7 +284,7 @@ def main(): backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) backend = backend_class(sigmaconfigs, backend_options) - + filename_ext = cmdargs.output_extention filename = cmdargs.output fileprefix = None @@ -289,7 +296,7 @@ def main(): filename_ext = '.' + filename_ext else: filename_ext = '.rule' - + if filename[-1:] in ['_','/','\\']: fileprefix = filename else: @@ -321,7 +328,7 @@ def main(): nb_result = len(list(copy.deepcopy(results))) inc_filenane = None if nb_result < 2 else 0 - + newline_separator = '\0' if cmdargs.print0 else '\n' results = list(results) # Since results is an iterator and used twice we convert it a list @@ -338,7 +345,7 @@ def main(): elif not fileprefix == None and inc_filenane == None: # a simple yml try: filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml',filename_ext) + filename = filename.replace('.yml',filename_ext) out = open(filename, "w", encoding='utf-8') except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) @@ -368,7 +375,7 @@ def main(): fileprefix = None # no need to open the same file many time except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) + exit(ERR_OUTPUT) except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) @@ -429,16 +436,16 @@ def main(): if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: - sys.exit(error) + sys.exit(error) finally: try: f.close() except: pass - + if success : - logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) - + logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) + result = backend.finalize() if result: print(result, file=out)