diff --git a/README.md b/README.md index 1fdeccde6..38d1e6b26 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2 1. Download or clone the repository 2. Check the `./rules` sub directory for an overview on the rule base 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter -4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/proc_creation_win_susp_whoami.yml` +4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c config/generic/sysmon.yml ../rules/windows/process_creation/proc_creation_win_susp_whoami.yml` 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/` 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 793bf6d05..b448d4123 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -10,7 +10,7 @@ references: - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents date: 2017/07/08 -modified: 2022/09/05 +modified: 2022/09/29 logsource: category: proxy detection: @@ -76,6 +76,7 @@ detection: - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/ - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update + - 'antSword/v2.1' # AntSword Webshell UA condition: selection fields: - ClientIP diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index 4db2ccc9e..6469e1daa 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -3,7 +3,7 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 description: Detects potential mimikatz-like tools accessing LSASS from non system account status: experimental date: 2019/06/20 -modified: 2021/11/22 +modified: 2022/09/28 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html @@ -50,7 +50,10 @@ detection: filter1: SubjectUserName|endswith: '$' filter2: - ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + filter3: + ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe' + AccessMask: '0x1410' condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/builtin/security/win_possible_dc_shadow.yml b/rules/windows/builtin/security/win_possible_dc_shadow.yml index 4246d4891..db744f2d6 100644 --- a/rules/windows/builtin/security/win_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_possible_dc_shadow.yml @@ -1,10 +1,10 @@ -title: Possible DC Shadow +title: Possible DC Shadow Attack id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed description: Detects DCShadow via create new SPN status: experimental author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah date: 2019/10/25 -modified: 2021/07/06 +modified: 2022/09/29 references: - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml - https://twitter.com/gentilkiwi/status/1003236624925413376 @@ -26,5 +26,5 @@ detection: AttributeValue|startswith: 'GC/' condition: selection1 or selection2 falsepositives: - - Exclude known DCs -level: high + - Valid on domain controllers; exclude known DCs +level: medium diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index cc71a77b0..6a385bc5e 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/09/27 +modified: 2022/09/28 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -72,10 +72,9 @@ detection: filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' filter4: - ProcessName: 'C:\Windows\System32\taskhostw.exe' - AccessMask: - - '0x10' - - '0x1410' + ProcessName: + - 'C:\Windows\System32\taskhostw.exe' + - 'C:\Windows\System32\msiexec.exe' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml new file mode 100644 index 000000000..47999251e --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -0,0 +1,27 @@ +title: Bumblebee Remote Thread Creation +id: 994cac2b-92c2-44bf-8853-14f6ca39fbda +status: experimental +description: Detects remote thread injection events based on action seen used by bumblebee +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +date: 2022/09/27 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\wabmig.exe' + - '\wab.exe' + - '\ImagingDevices.exe' + TargetImage|endswith: '\rundll32.exe' + condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 8521d3bb0..afc3db3f9 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -6,7 +6,7 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 -modified: 2022/08/17 +modified: 2022/09/29 logsource: product: windows category: create_remote_thread @@ -22,7 +22,11 @@ detection: - '\explorer.exe' filter: StartFunction: 'EtwpNotificationThread' - condition: selection and not filter + filter_programfiles: + SourceImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not 1 of filter* falsepositives: - Unknown level: high diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml index 742ec1d9a..3fb6d2b0c 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -9,15 +9,17 @@ related: type: obsoletes status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution + - https://redcanary.com/blog/misbehaving-rats/ author: frack113 date: 2022/07/11 +modified: 2022/09/19 logsource: product: windows category: dns_query @@ -27,9 +29,11 @@ detection: - '.getgo.com' - '.logmein.com' - '.ammyy.com' + - '.netsupportsoftware.com' # For NetSupport Manager RAT + - 'remoteutilities.com' # Usage of Remote Utilities RAT condition: selection falsepositives: - - Unknown + - FP may be caused in legitimate usage of the softwares mentioned above level: medium tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml new file mode 100644 index 000000000..aaaac6289 --- /dev/null +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -0,0 +1,26 @@ +title: Suspicious Binary Writes Via AnyDesk +id: 2d367498-5112-4ae5-a06a-96e7bc33a211 +status: experimental +description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/28 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\anydesk.exe' + TargetFilename|endswith: + - '.dll' + - '.exe' + filter_dlls: + TargetFilename|endswith: '\gcapi.dll' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml new file mode 100644 index 000000000..c924dd891 --- /dev/null +++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml @@ -0,0 +1,32 @@ +title: Suspicious ASPX File Drop by Exchange +id: bd1212e5-78da-431e-95fa-c58e3237a8e6 +description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +author: Florian Roth (rule), MSTI (query, idea) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ + - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html + - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\w3wp.exe' + CommandLine|contains: 'MSExchange' + TargetFilename|contains: + - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports + - '\inetpub\wwwroot\aspnet_client\' # from GTSC report + selection_types: + TargetFilename|endswith: + - '.aspx' + - '.asp' + - '.ashx' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 78039d23b..a7b422a4c 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) date: 2022/07/21 -modified: 2022/07/25 +modified: 2022/09/27 tags: - attack.t1547 - attack.persistence diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 53f7ec255..f74a18219 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/27 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.persistence @@ -423,8 +423,13 @@ detection: filter_azure: ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_dell: - Image: 'C:\Windows\System32\backgroundTaskHost.exe' + Image|startswith: + - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + filter_cleanmgr: + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index c018ae144..ebc4aecc5 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/09/10 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.t1070 @@ -23,12 +23,17 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - filter: + filter_generic: - Image|endswith: '\msiexec.exe' - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - condition: selection and not filter + filter_cleanmgr: + # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: + # Sometimes the DLL gets loaded from %temp% + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index 5d29c0819..558746b04 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -4,7 +4,7 @@ status: experimental description: Detecting use WinAPI Functions in PowerShell author: Nikita Nazarov, oscd.community, Tim Shelton date: 2020/10/06 -modified: 2022/05/23 +modified: 2022/09/29 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -41,8 +41,8 @@ detection: # - 'WriteByte' # FP with .NET System.IO.FileStream - 'WriteInt32' - 'OpenThreadToken' - - 'PtrToString' - - 'FreeHGlobal' + # - 'PtrToString' + # - 'FreeHGlobal' - 'ZeroFreeGlobalAllocUnicode' - 'OpenProcessToken' - 'GetTokenInformation' diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index b322595a4..81022ce86 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/09/13 +modified: 2022/09/29 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -122,6 +122,10 @@ detection: filter_malwarebytes: SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' GrantedAccess: '0x1410' + filter_defender: + CallTrace|contains: + - '|c:\program files\windows defender\mprtp.dll' + - '|c:\program files\windows defender\MpClient.dll' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 1b9c6a1f3..0f20ccca4 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/03/20 +modified: 2022/09/29 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -40,6 +40,8 @@ detection: - '\thor\thor64.exe+' - '|UNKNOWN(' GrantedAccess: '0x103800' + filter_sysmon: + SourceImage: 'C:\Windows\Sysmon64.exe' condition: selection and not 1 of filter* falsepositives: - False positives are present when looking for 0x1410. Exclusions may be required. diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 726d944dc..8e49db55b 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/09/20 +modified: 2022/09/30 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -88,6 +88,10 @@ detection: SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' SourceImage|endswith: '.tmp\GoogleUpdate.exe' GrantedAccess: '0x410' + filter_adobe_temp: + SourceImage|startswith: + - 'C:\Program Files (x86)\Common Files\Adobe\ARM\' + - 'C:\Program Files\Common Files\Adobe\ARM\' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml new file mode 100644 index 000000000..c27c46d22 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -0,0 +1,26 @@ +title: AnyDesk Inline Piped Password +id: b1377339-fda6-477a-b455-ac0923f9ec2c +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/28 +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag +references: + - https://redcanary.com/blog/misbehaving-rats/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password + - '/c' + - 'echo ' + - ' --set-password' + condition: selection +falsepositives: + - Legitimate piping of the password to anydesk + - Some FP could occure with similar tools that uses the same command line '--set-password' +level: high +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml index 4cf3b46ed..56babca75 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml @@ -8,13 +8,14 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment tags: + - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' diff --git a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml index 89c5e0bc0..9d5158da4 100644 --- a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml @@ -1,7 +1,7 @@ title: Phishing Pattern ISO in Archive id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1 status: experimental -description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is open a signa of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) author: Florian Roth references: - https://twitter.com/1ZRR4H/status/1534259727059787783 diff --git a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml new file mode 100644 index 000000000..0277d4b14 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml @@ -0,0 +1,25 @@ +title: Copy DMP Files From Share +id: 044ba588-dff4-4918-9808-3f95e8160606 +status: experimental +description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: copy \\\\\\lsass.dmp C:\Users\lsass.dmp + - ' /c ' + - '.dmp' + - 'copy ' + - ' \\\\' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml new file mode 100644 index 000000000..b2e89c510 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -0,0 +1,29 @@ +title: ImagingDevices Unusual Parent Or Child Processes +id: f11f2808-adb4-46c0-802a-8660db50fa99 +status: experimental +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\ImagingDevices.exe' + selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: '\ImagingDevices.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml index 1a9307dc5..c9a5764a9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml @@ -6,7 +6,9 @@ references: - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml -author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag' + - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A + - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)' tags: - attack.t1204.002 - attack.t1047 @@ -15,7 +17,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 -modified: 2022/07/20 +modified: 2022/10/03 logsource: product: windows category: process_creation @@ -30,6 +32,7 @@ detection: - '\verclsid.exe' - '\msdt.exe' - '\control.exe' + - '\msidb.exe' ParentImage|endswith: - '\winword.exe' - '\excel.exe' diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 658c9c1ad..d7e302321 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -29,5 +29,5 @@ detection: ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml new file mode 100644 index 000000000..e3bb4105a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -0,0 +1,25 @@ +title: Execution of Renamed NetSupport RAT +id: 0afbd410-de03-4078-8491-f132303cb67d +status: experimental +description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E + filter: + Image|endswith: '\client32.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml new file mode 100644 index 000000000..67108fb20 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -0,0 +1,28 @@ +title: Execution of Renamed Remote Utilities RAT (RURAT) +id: 9ef27c24-4903-4192-881a-3adde7ff92a5 +status: experimental +description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + Product: 'Remote Utilities' + filter: + Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.collection + - attack.command_and_control + - attack.discovery + - attack.s0592 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 9d73005a8..86a5ee3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E status: experimental references: - https://redcanary.com/blog/raspberry-robin/ + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 515f45653..f0d31afec 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -19,7 +19,7 @@ detection: - Company: 'ScreenConnect Software' condition: selection falsepositives: - - Legitimate use + - Legitimate usage of the tool level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml new file mode 100644 index 000000000..0079f9ca3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -0,0 +1,30 @@ +title: 7Zip Compressing Dump Files +id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 +related: + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived +status: experimental +description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' + - Description|contains: '7-Zip' + dumpfile: + CommandLine|contains: '.dmp' + condition: selection and dumpfile +falsepositives: + - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally +level: high +tags: + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 430e9364d..3d683d11e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2021/12/17 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.t1202 @@ -16,9 +16,14 @@ logsource: detection: selection: ParentImage|endswith: '\conhost.exe' - filter: + filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - condition: selection and not filter + filter_git: + # Example FP: + # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file + Image|endswith: '\git.exe' + ParentCommandLine|contains: ' show ' + condition: selection and not 1 of filter_* fields: - Image - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml new file mode 100644 index 000000000..5ee17263d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -0,0 +1,28 @@ +title: Execution of NetSupport RAT From Unusual Location +id: 37e8d358-6408-4853-82f4-98333fca7014 +status: experimental +description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\client32.exe' + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml new file mode 100644 index 000000000..464f1000f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -0,0 +1,27 @@ +title: Execution of Remote Utilities RAT (RURAT) From Unusual Location +id: e01fa958-6893-41d4-ae03-182477c5e77d +status: experimental +description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + - Product: 'Remote Utilities' + filter: + Image|startswith: + - 'C:\Program Files\Remote Utilities' + - 'C:\Program Files (x86)\Remote Utilities' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 7fa86299a..dc6c839b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: '.dmp' condition: selection and dumpfile falsepositives: - - Legitimate use of WinRAR with a command line in which .dmp appears incidentally + - Legitimate use of WinRAR with a command line in which .dmp appears accidentally level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 601a65f63..1a188d5a9 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,12 +1,14 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: experimental -description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -15,7 +17,9 @@ logsource: product: windows detection: selection: - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' filter: Image|startswith: - 'C:\Windows\WinSxS\' @@ -23,5 +27,5 @@ detection: - 'C:\Program Files (x86)\Windows Mail\' condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index ad84a9698..f5720ce04 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,12 +1,14 @@ -title: Wab.Exe Unusual Parent Or Child Processes +title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: experimental -description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -20,10 +22,15 @@ detection: - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) selection_child: - ParentImage|endswith: '\wab.exe' + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) condition: 1 of selection_* falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml index 0afe7b43e..0068a7f2c 100644 --- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -4,8 +4,10 @@ status: experimental description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/09/14 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -19,6 +21,7 @@ detection: - 'Asd123.aaaa' - 'password123' - '123456789' + - 'P@ssw0rd!' condition: selection falsepositives: - Legitimate usage of the passwords by users via commandline (should be discouraged) diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml new file mode 100644 index 000000000..7cc10f069 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -0,0 +1,35 @@ +title: Chopper Webshell Process Pattern +id: fa3c117a-bc0d-416e-a31b-0c0e80653efb +description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +author: Florian Roth (rule), MSTI (query) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 + - attack.t1018 + - attack.t1033 + - attack.t1087 +logsource: + category: process_creation + product: windows +detection: + selection_origin: + - Image|endswith: '\w3wp.exe' + - ParentImage|endswith: '\w3wp.exe' + selection_cmdline: + CommandLine|contains: + - '&ipconfig&echo' + - '&quser&echo' + - '&whoami&echo' + - '&c:&echo' + - '&cd&echo' + - '&dir&echo' + - '&echo [E]' + - '&echo [S]' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index 03df88539..a6e6506f3 100755 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -6,18 +6,22 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/03/26 +modified: 2022/09/29 logsource: category: registry_add product: windows detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject|contains|all: + TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' - condition: selection + filter_svchost: + # Example of target object by svchost + # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs + Image: 'C:\WINDOWS\system32\svchost.exe' + condition: selection and not 1 of filter_* falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 234213d68..02b5704aa 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -3,6 +3,7 @@ id: 7d9263bd-dc47-4a58-bc92-5474abab390c description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel author: frack113 date: 2022/09/17 +modified: 2022/09/29 status: experimental references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ @@ -21,7 +22,11 @@ detection: - '(A;;0x1;;;SY)' # Local System having GENERIC ALL - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL - condition: selection + filter_trustedinstaller: + Image: 'C:\Windows\servicing\TrustedInstaller.exe' + filter_ti_worker: + Image|endswith: '\TiWorker.exe' + condition: selection and not 1 of filter* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml new file mode 100644 index 000000000..8d8c3eb24 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -0,0 +1,35 @@ +title: RDP Sensitive Settings Changed +id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b +related: + - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c + type: similar +status: test +description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +references: + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +date: 2022/09/29 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: + - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled + - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions + - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) +level: medium +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index c41ddf350..f14fc77fe 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -5,6 +5,8 @@ related: type: obsoletes - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 type: obsoletes + - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b + type: similar status: test description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali @@ -17,6 +19,7 @@ references: - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) date: 2022/08/06 +modified: 2022/09/29 logsource: category: registry_set product: windows @@ -37,13 +40,7 @@ detection: TargetObject|contains: - '\Control\Terminal Server\' - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' - selection_terminal_services_values_0: - TargetObject|endswith: - - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled - - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions - - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established - Details: 'DWORD (0x00000000)' - selection_terminal_services_values_1: + selection_terminal_services_values: TargetObject|endswith: - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers - '\fAllowUnsolicitedFullControl' @@ -56,7 +53,7 @@ detection: - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - '\Control\Terminal Server\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - condition: selection_shadow or (selection_terminal_services_key and 1 of selection_terminal_services_values_*) or selection_tamper_only + condition: selection_shadow or (selection_terminal_services_key and selection_terminal_services_values) or selection_tamper_only falsepositives: - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 9313a2ea7..6b453e15e 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -19,10 +19,15 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_office2: Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_svchost: + # Example of target object by svchost + # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection and not 1 of filter_* falsepositives: - Legitimate use level: medium tags: - - attack.persistence - - attack.t1546.015 + - attack.persistence + - attack.t1546.015 diff --git a/tools/README.md b/tools/README.md index 946b38aa8..6e42d63d7 100644 --- a/tools/README.md +++ b/tools/README.md @@ -373,8 +373,8 @@ with the identifier `datadog-logs`. This query can be used in the Security Monit #### Config file The Datadog backend does not require a config file. If you choose to add one, you can specify tags in addition to the existing features. -While attributes will be queried with `@my-attribute:attribute_value` specified tags will be queried with `my-tag:service_value`. -For an example, see `tools/config/datadog.yml`. +While attributes will be queried with `default_attribute: new_attribute` specified tags will be queried with `new_attribute`. +For an example, see `tools/config/datadog.yml`, `DemoEventID` will be replaced by `@event.id`. #### Backend options The backend options allow you to override tags such as `index`, `service` and `source`. Note that `index` is not available in the Security Monitoring product. @@ -383,6 +383,9 @@ Example ``` tools/sigmac -t datadog-logs ./rules/cloud/aws/aws_attached_malicious_lambda_layer.yml --backend-option index=index_value --backend-option service=service_value ``` +``` +tools/sigmac -t datadog-logs ./rules/cloud/aws/aws_attached_malicious_lambda_layer.yml --config config/datadog.yml +``` #### Tests You can run the backend unit tests with: diff --git a/tools/config/datadog.yml b/tools/config/datadog.yml index e68269dc0..2dd68200b 100644 --- a/tools/config/datadog.yml +++ b/tools/config/datadog.yml @@ -2,4 +2,13 @@ title: Datadog Example Config order: 20 backends: - datadog-logs -tags: [] +index: +service: +source: +host: +device: +env: +version: +tags: + DemoEventID: '@event.id' + diff --git a/tools/sigma/backends/datadog.py b/tools/sigma/backends/datadog.py index 80d6f880b..067fedfc3 100644 --- a/tools/sigma/backends/datadog.py +++ b/tools/sigma/backends/datadog.py @@ -14,8 +14,7 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -import re - +from re import compile from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import NodeSubexpression @@ -41,13 +40,22 @@ class DatadogLogsBackend(SingleTextQueryBackend): notNullExpression = "%s:*" # The escaped characters list comes from https://docs.datadoghq.com/logs/explorer/search_syntax/#escaping-of-special-characters. - specialCharactersRegexp = re.compile(r'([+\-=&|>