From a66ba61712588a1b4aa85ea9bb1e045984b75515 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 27 Sep 2022 10:27:21 +0200 Subject: [PATCH 01/31] Fix small typos --- rules/windows/file_event/file_event_win_ripzip_attack.yml | 4 ++-- .../proc_creation_win_process_dump_rundll32_comsvcs.yml | 4 ++-- .../process_creation/proc_creation_win_susp_sharpview.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 7f71a7886..a7b422a4c 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) date: 2022/07/21 -modified: 2022/07/25 +modified: 2022/09/27 tags: - attack.t1547 - attack.persistence @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk - TargetFileName|contains|all: + TargetFilename|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' Image|endswith: '\explorer.exe' diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 4143a47ad..eafc641e8 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -14,7 +14,7 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 author: Florian Roth, Modexp, Nasreddine Bencherchali (update) date: 2020/02/18 -modified: 2022/08/04 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.credential_access @@ -33,7 +33,7 @@ detection: CommandLine|contains|all: - 'comsvcs' - 'full' - Commandline|contains: + CommandLine|contains: - '24 ' - '#24' - '#+24' diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index daae592e1..87b842f9a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -8,7 +8,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 -modified: 2022/09/13 +modified: 2022/09/27 logsource: category: process_creation product: windows @@ -16,7 +16,7 @@ detection: selection: - OriginalFileName: SharpView.exe - Image|endswith: '\SharpView.exe' - - Commandline|contains: + - CommandLine|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping From 6eeee7eff434b786f08a15210898f5ab48b5a568 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 11:51:27 +0200 Subject: [PATCH 02/31] fix: casing of field --- rules/windows/file_event/file_event_win_ripzip_attack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 7f71a7886..78039d23b 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk - TargetFileName|contains|all: + TargetFilename|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' Image|endswith: '\explorer.exe' From 43d12249a0f034661e1c22a76c715ad40b85563d Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 27 Sep 2022 12:13:16 +0200 Subject: [PATCH 03/31] Renamed create remote thread rules --- ...n_cactustorch.yml => create_remote_thread_win_cactustorch.yml} | 0 ...> create_remote_thread_win_cobaltstrike_process_injection.yml} | 0 ...d_loadlibrary.yml => create_remote_thread_win_loadlibrary.yml} | 0 ...s.yml => create_remote_thread_win_password_dumper_keepass.yml} | 0 ...ass.yml => create_remote_thread_win_password_dumper_lsass.yml} | 0 ...yml => create_remote_thread_win_powershell_code_injection.yml} | 0 ....yml => create_remote_thread_win_susp_powershell_rundll32.yml} | 0 ...yml => create_remote_thread_win_susp_remote_thread_source.yml} | 0 ...yml => create_remote_thread_win_susp_remote_thread_target.yml} | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/create_remote_thread/{sysmon_cactustorch.yml => create_remote_thread_win_cactustorch.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_cobaltstrike_process_injection.yml => create_remote_thread_win_cobaltstrike_process_injection.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_createremotethread_loadlibrary.yml => create_remote_thread_win_loadlibrary.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_password_dumper_keepass.yml => create_remote_thread_win_password_dumper_keepass.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_password_dumper_lsass.yml => create_remote_thread_win_password_dumper_lsass.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_powershell_code_injection.yml => create_remote_thread_win_powershell_code_injection.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_powershell_rundll32.yml => create_remote_thread_win_susp_powershell_rundll32.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_remote_thread_source.yml => create_remote_thread_win_susp_remote_thread_source.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_remote_thread_target.yml => create_remote_thread_win_susp_remote_thread_target.yml} (100%) diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml From e987c669d012f3a6994ef7d2cec33cd30192a8bc Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 09:50:56 +0200 Subject: [PATCH 04/31] Updates --- ...win_lolbins_with_wmiprvse_parent_process.yml | 2 +- ...oc_creation_win_rundll32_parent_explorer.yml | 1 + .../proc_creation_win_susp_winrar_dmp.yml | 2 +- ..._wab_execution_from_non_default_location.yml | 10 +++++++--- .../proc_creation_win_wab_unusual_parents.yml | 17 ++++++++++++----- ...oc_creation_win_weak_or_abused_passwords.yml | 3 +++ 6 files changed, 25 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 658c9c1ad..d7e302321 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -29,5 +29,5 @@ detection: ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 9d73005a8..86a5ee3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E status: experimental references: - https://redcanary.com/blog/raspberry-robin/ + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 7fa86299a..dc6c839b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: '.dmp' condition: selection and dumpfile falsepositives: - - Legitimate use of WinRAR with a command line in which .dmp appears incidentally + - Legitimate use of WinRAR with a command line in which .dmp appears accidentally level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 601a65f63..1a188d5a9 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,12 +1,14 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: experimental -description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -15,7 +17,9 @@ logsource: product: windows detection: selection: - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' filter: Image|startswith: - 'C:\Windows\WinSxS\' @@ -23,5 +27,5 @@ detection: - 'C:\Program Files (x86)\Windows Mail\' condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index ad84a9698..f5720ce04 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,12 +1,14 @@ -title: Wab.Exe Unusual Parent Or Child Processes +title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: experimental -description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -20,10 +22,15 @@ detection: - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) selection_child: - ParentImage|endswith: '\wab.exe' + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) condition: 1 of selection_* falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml index 0afe7b43e..0068a7f2c 100644 --- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -4,8 +4,10 @@ status: experimental description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/09/14 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -19,6 +21,7 @@ detection: - 'Asd123.aaaa' - 'password123' - '123456789' + - 'P@ssw0rd!' condition: selection falsepositives: - Legitimate usage of the passwords by users via commandline (should be discouraged) From d262ea2df8f44a5096ce614c7deb565d94d89cdd Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 09:51:13 +0200 Subject: [PATCH 05/31] New rules --- .../create_remote_thread_win_bumblebee.yml | 27 +++++++++++++++++ .../proc_creation_win_copy_dmp_from_share.yml | 25 ++++++++++++++++ ...on_win_imaging_devices_unusual_parents.yml | 29 ++++++++++++++++++ .../proc_creation_win_susp_7zip_dmp.yml | 30 +++++++++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml create mode 100644 rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml create mode 100644 rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml new file mode 100644 index 000000000..47999251e --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -0,0 +1,27 @@ +title: Bumblebee Remote Thread Creation +id: 994cac2b-92c2-44bf-8853-14f6ca39fbda +status: experimental +description: Detects remote thread injection events based on action seen used by bumblebee +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +date: 2022/09/27 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\wabmig.exe' + - '\wab.exe' + - '\ImagingDevices.exe' + TargetImage|endswith: '\rundll32.exe' + condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml new file mode 100644 index 000000000..0277d4b14 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml @@ -0,0 +1,25 @@ +title: Copy DMP Files From Share +id: 044ba588-dff4-4918-9808-3f95e8160606 +status: experimental +description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: copy \\\\\\lsass.dmp C:\Users\lsass.dmp + - ' /c ' + - '.dmp' + - 'copy ' + - ' \\\\' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml new file mode 100644 index 000000000..b2e89c510 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -0,0 +1,29 @@ +title: ImagingDevices Unusual Parent Or Child Processes +id: f11f2808-adb4-46c0-802a-8660db50fa99 +status: experimental +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\ImagingDevices.exe' + selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: '\ImagingDevices.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml new file mode 100644 index 000000000..26285572d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -0,0 +1,30 @@ +title: Winrar Compressing Dump Files +id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 +related: + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived +status: experimental +description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' + - Description|contains: '7-Zip' + dumpfile: + CommandLine|contains: '.dmp' + condition: selection and dumpfile +falsepositives: + - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally +level: high +tags: + - attack.collection + - attack.t1560.001 From e3b32652403ba4a4b412dfa1898835a28c4e2399 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 10:48:30 +0200 Subject: [PATCH 06/31] Update image_load_side_load_from_non_system_location.yml --- .../image_load_side_load_from_non_system_location.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 53f7ec255..1213ebb0b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/27 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.persistence @@ -423,7 +423,9 @@ detection: filter_azure: ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_dell: - Image: 'C:\Windows\System32\backgroundTaskHost.exe' + Image|startswith: + - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: From df6c167b177ec5326b7cc975e989a039f0807f07 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 10:48:51 +0200 Subject: [PATCH 07/31] New Rules --- ...s_query_remote_access_software_domains.yml | 12 +++++--- ...oc_creation_win_renamed_netsupport_rat.yml | 25 +++++++++++++++++ .../proc_creation_win_renamed_rurat.yml | 28 +++++++++++++++++++ .../proc_creation_win_screenconnect.yml | 2 +- ..._win_susp_netsupport_rat_exec_location.yml | 28 +++++++++++++++++++ ..._creation_win_susp_rurat_exec_location.yml | 27 ++++++++++++++++++ 6 files changed, 117 insertions(+), 5 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_rurat.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml index 742ec1d9a..3fb6d2b0c 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -9,15 +9,17 @@ related: type: obsoletes status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution + - https://redcanary.com/blog/misbehaving-rats/ author: frack113 date: 2022/07/11 +modified: 2022/09/19 logsource: product: windows category: dns_query @@ -27,9 +29,11 @@ detection: - '.getgo.com' - '.logmein.com' - '.ammyy.com' + - '.netsupportsoftware.com' # For NetSupport Manager RAT + - 'remoteutilities.com' # Usage of Remote Utilities RAT condition: selection falsepositives: - - Unknown + - FP may be caused in legitimate usage of the softwares mentioned above level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml new file mode 100644 index 000000000..4ad3dd467 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -0,0 +1,25 @@ +title: Execution of Renamed NetSupport RAT +id: 0afbd410-de03-4078-8491-f132303cb67d +status: experimental +description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|endswith: '\client32.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml new file mode 100644 index 000000000..0325c15f3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -0,0 +1,28 @@ +title: Execution of Renamed Remote Utilities RAT (RURAT) +id: 9ef27c24-4903-4192-881a-3adde7ff92a5 +status: experimental +description: Detects execution of renamed Remote Utilities (RURAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + Product: 'Remote Utilities' + filter: + Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.collection + - attack.command_and_control + - attack.discovery + - attack.s0592 diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 515f45653..f0d31afec 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -19,7 +19,7 @@ detection: - Company: 'ScreenConnect Software' condition: selection falsepositives: - - Legitimate use + - Legitimate usage of the tool level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml new file mode 100644 index 000000000..5ee17263d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -0,0 +1,28 @@ +title: Execution of NetSupport RAT From Unusual Location +id: 37e8d358-6408-4853-82f4-98333fca7014 +status: experimental +description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\client32.exe' + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml new file mode 100644 index 000000000..464f1000f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -0,0 +1,27 @@ +title: Execution of Remote Utilities RAT (RURAT) From Unusual Location +id: e01fa958-6893-41d4-ae03-182477c5e77d +status: experimental +description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + - Product: 'Remote Utilities' + filter: + Image|startswith: + - 'C:\Program Files\Remote Utilities' + - 'C:\Program Files (x86)\Remote Utilities' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion From b71644d0c8a2af165be1b77390268de98a760a02 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 11:52:07 +0200 Subject: [PATCH 08/31] New rules + small mitre update --- ...vent_win_anydesk_writing_susp_binaries.yml | 26 +++++++++++++++++++ ...ion_win_anydesk_piped_password_via_cli.yml | 26 +++++++++++++++++++ ...oc_creation_win_anydesk_silent_install.yml | 3 ++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml create mode 100644 rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml new file mode 100644 index 000000000..dd301c10d --- /dev/null +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -0,0 +1,26 @@ +title: Suspicious Binary Writes Via AnyDesk +id: 2d367498-5112-4ae5-a06a-96e7bc33a211 +status: experimental +description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/28 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\anydesk.exe' + TargetFilename|endswith: + - '.dll' + - '.exe' + filter_dlls: + TargetFilename|endswith: '\gcapi.dll' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml new file mode 100644 index 000000000..0fcd497d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -0,0 +1,26 @@ +title: AnyDesk Inline Piped Password +id: b1377339-fda6-477a-b455-ac0923f9ec2c +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/28 +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag +references: + - https://redcanary.com/blog/misbehaving-rats/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password + - '/c' + - 'echo ' + - ' --set-password' + condition: selection +falsepositives: + - Legitimate piping of the password to anydesk + - Some FP could occure with similar tools that uses the same command line '--set-password' +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml index 4cf3b46ed..56babca75 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml @@ -8,13 +8,14 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment tags: + - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' From ea253821104dc79acb4494be12c47b9e0e625804 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:26:23 +0200 Subject: [PATCH 09/31] increased level --- .../file_event/file_event_win_anydesk_writing_susp_binaries.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml index dd301c10d..aaaac6289 100644 --- a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -20,7 +20,7 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Unknown -level: medium +level: high tags: - attack.command_and_control - attack.t1219 From 5ee44a69922ee3603b96d8c41802a5d702ff6181 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:27:23 +0200 Subject: [PATCH 10/31] increased level --- .../proc_creation_win_anydesk_piped_password_via_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml index 0fcd497d4..c27c46d22 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -20,7 +20,7 @@ detection: falsepositives: - Legitimate piping of the password to anydesk - Some FP could occure with similar tools that uses the same command line '--set-password' -level: medium +level: high tags: - attack.command_and_control - attack.t1219 From 5391a5cab4a209312f44bda326a29988eb2ef0cd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:28:53 +0200 Subject: [PATCH 11/31] changed casing, increased level --- .../proc_creation_win_renamed_netsupport_rat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 4ad3dd467..e3bb4105a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -14,12 +14,12 @@ detection: - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: Image|endswith: '\client32.exe' condition: selection and not filter falsepositives: - Unknown -level: medium +level: high tags: - attack.defense_evasion From 69b31b19b1bdf3b67b1a2a1c2647e609c752f258 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 13:37:36 +0200 Subject: [PATCH 12/31] Update rules/windows/process_creation/proc_creation_win_renamed_rurat.yml Co-authored-by: Florian Roth --- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 0325c15f3..67108fb20 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,7 +1,7 @@ title: Execution of Renamed Remote Utilities RAT (RURAT) id: 9ef27c24-4903-4192-881a-3adde7ff92a5 status: experimental -description: Detects execution of renamed Remote Utilities (RURAT) via Imphash, Product and OriginalFileName strings +description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field author: Nasreddine Bencherchali references: - https://redcanary.com/blog/misbehaving-rats/ From 4a5dcf8586ddef9a9f60a2bddce59dbc322fc51d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 13:37:42 +0200 Subject: [PATCH 13/31] Update rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml Co-authored-by: Florian Roth --- .../process_creation/proc_creation_win_susp_7zip_dmp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml index 26285572d..0079f9ca3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -1,4 +1,4 @@ -title: Winrar Compressing Dump Files +title: 7Zip Compressing Dump Files id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc From 652447696b968afc1ff5fe9ff9917a6289e82cab Mon Sep 17 00:00:00 2001 From: mpgn Date: Wed, 28 Sep 2022 08:30:03 -0400 Subject: [PATCH 14/31] Update datadog sigmac --- tools/README.md | 7 ++++-- tools/config/datadog.yml | 11 +++++++++- tools/sigma/backends/datadog.py | 34 ++++++++++++++++++----------- tools/tests/test_backend_datadog.py | 4 ++-- 4 files changed, 38 insertions(+), 18 deletions(-) diff --git a/tools/README.md b/tools/README.md index 946b38aa8..6e42d63d7 100644 --- a/tools/README.md +++ b/tools/README.md @@ -373,8 +373,8 @@ with the identifier `datadog-logs`. This query can be used in the Security Monit #### Config file The Datadog backend does not require a config file. If you choose to add one, you can specify tags in addition to the existing features. -While attributes will be queried with `@my-attribute:attribute_value` specified tags will be queried with `my-tag:service_value`. -For an example, see `tools/config/datadog.yml`. +While attributes will be queried with `default_attribute: new_attribute` specified tags will be queried with `new_attribute`. +For an example, see `tools/config/datadog.yml`, `DemoEventID` will be replaced by `@event.id`. #### Backend options The backend options allow you to override tags such as `index`, `service` and `source`. Note that `index` is not available in the Security Monitoring product. @@ -383,6 +383,9 @@ Example ``` tools/sigmac -t datadog-logs ./rules/cloud/aws/aws_attached_malicious_lambda_layer.yml --backend-option index=index_value --backend-option service=service_value ``` +``` +tools/sigmac -t datadog-logs ./rules/cloud/aws/aws_attached_malicious_lambda_layer.yml --config config/datadog.yml +``` #### Tests You can run the backend unit tests with: diff --git a/tools/config/datadog.yml b/tools/config/datadog.yml index e68269dc0..2dd68200b 100644 --- a/tools/config/datadog.yml +++ b/tools/config/datadog.yml @@ -2,4 +2,13 @@ title: Datadog Example Config order: 20 backends: - datadog-logs -tags: [] +index: +service: +source: +host: +device: +env: +version: +tags: + DemoEventID: '@event.id' + diff --git a/tools/sigma/backends/datadog.py b/tools/sigma/backends/datadog.py index 80d6f880b..067fedfc3 100644 --- a/tools/sigma/backends/datadog.py +++ b/tools/sigma/backends/datadog.py @@ -14,8 +14,7 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -import re - +from re import compile from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import NodeSubexpression @@ -41,13 +40,22 @@ class DatadogLogsBackend(SingleTextQueryBackend): notNullExpression = "%s:*" # The escaped characters list comes from https://docs.datadoghq.com/logs/explorer/search_syntax/#escaping-of-special-characters. - specialCharactersRegexp = re.compile(r'([+\-=&|> Date: Wed, 28 Sep 2022 19:31:22 +0200 Subject: [PATCH 15/31] fix: Aurora FPs with Nvidia update --- .../security/win_lsass_access_non_system_account.yml | 7 +++++-- .../builtin/security/win_susp_lsass_dump_generic.yml | 5 +---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index 4db2ccc9e..6469e1daa 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -3,7 +3,7 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 description: Detects potential mimikatz-like tools accessing LSASS from non system account status: experimental date: 2019/06/20 -modified: 2021/11/22 +modified: 2022/09/28 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html @@ -50,7 +50,10 @@ detection: filter1: SubjectUserName|endswith: '$' filter2: - ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + filter3: + ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe' + AccessMask: '0x1410' condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index cc71a77b0..41e9ead15 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/09/27 +modified: 2022/09/28 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -73,9 +73,6 @@ detection: ProcessName: 'C:\Windows\CCM\CcmExec.exe' filter4: ProcessName: 'C:\Windows\System32\taskhostw.exe' - AccessMask: - - '0x10' - - '0x1410' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName From 94ec3126f748f40cd7718d7eb77a9fb3c0cdafb2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:15:10 +0200 Subject: [PATCH 16/31] fix fp from testing --- .../image_load_side_load_from_non_system_location.yml | 5 ++++- .../image_load_susp_dll_load_system_process.yml | 11 ++++++++--- .../registry_add_persistence_key_linking.yml | 8 ++++++-- .../registry_set/registry_set_treatas_persistence.yml | 5 +++++ 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 53f7ec255..97c19248a 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/27 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.persistence @@ -425,6 +425,9 @@ detection: filter_dell: Image: 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + filter_cleanmgr: + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index c018ae144..ebc4aecc5 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/09/10 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.t1070 @@ -23,12 +23,17 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - filter: + filter_generic: - Image|endswith: '\msiexec.exe' - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - condition: selection and not filter + filter_cleanmgr: + # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: + # Sometimes the DLL gets loaded from %temp% + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index 03df88539..94a4e8de2 100755 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -6,17 +6,21 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/03/26 +modified: 2022/09/29 logsource: category: registry_add product: windows detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject|contains|all: + TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' + filter_svchost: + # Example of target object by svchost + # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs + Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 9313a2ea7..caee9f67b 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -19,6 +19,11 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_office2: Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_svchost: + # Example of target object by svchost + # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection and not 1 of filter_* falsepositives: - Legitimate use From 6131c3df887ed1b8ead84a73a6440f822c78bc53 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:16:42 +0200 Subject: [PATCH 17/31] Revert "fix fp from testing" This reverts commit 94ec3126f748f40cd7718d7eb77a9fb3c0cdafb2. --- .../image_load_side_load_from_non_system_location.yml | 5 +---- .../image_load_susp_dll_load_system_process.yml | 11 +++-------- .../registry_add_persistence_key_linking.yml | 8 ++------ .../registry_set/registry_set_treatas_persistence.yml | 5 ----- 4 files changed, 6 insertions(+), 23 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 97c19248a..53f7ec255 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/29 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.persistence @@ -425,9 +425,6 @@ detection: filter_dell: Image: 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - filter_cleanmgr: - Image: 'C:\Windows\System32\cleanmgr.exe' - ImageLoaded|endswith: '\ssshim.dll' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index ebc4aecc5..c018ae144 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/09/29 +modified: 2022/09/10 tags: - attack.defense_evasion - attack.t1070 @@ -23,17 +23,12 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - filter_generic: + filter: - Image|endswith: '\msiexec.exe' - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - filter_cleanmgr: - # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: - # Sometimes the DLL gets loaded from %temp% - Image: 'C:\Windows\System32\cleanmgr.exe' - ImageLoaded|endswith: '\ssshim.dll' - condition: selection and not 1 of filter_* + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index 94a4e8de2..03df88539 100755 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -6,21 +6,17 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/09/29 +modified: 2022/03/26 logsource: category: registry_add product: windows detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject|contains|all: + TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' - filter_svchost: - # Example of target object by svchost - # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs - Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index caee9f67b..9313a2ea7 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -19,11 +19,6 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_office2: Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - filter_svchost: - # Example of target object by svchost - # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) - # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) - Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection and not 1 of filter_* falsepositives: - Legitimate use From cdd9aff032d119c14bfd4eddebdbf1acac594343 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:20:08 +0200 Subject: [PATCH 18/31] Fix FP --- .../image_load_side_load_from_non_system_location.yml | 5 ++++- .../image_load_susp_dll_load_system_process.yml | 11 ++++++++--- .../registry_add_persistence_key_linking.yml | 10 +++++++--- .../registry_set/registry_set_treatas_persistence.yml | 9 +++++++-- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 1213ebb0b..f74a18219 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/28 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.persistence @@ -427,6 +427,9 @@ detection: - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + filter_cleanmgr: + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index c018ae144..ebc4aecc5 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/09/10 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.t1070 @@ -23,12 +23,17 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - filter: + filter_generic: - Image|endswith: '\msiexec.exe' - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - condition: selection and not filter + filter_cleanmgr: + # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: + # Sometimes the DLL gets loaded from %temp% + Image: 'C:\Windows\System32\cleanmgr.exe' + ImageLoaded|endswith: '\ssshim.dll' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index 03df88539..a6e6506f3 100755 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -6,18 +6,22 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/03/26 +modified: 2022/09/29 logsource: category: registry_add product: windows detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject|contains|all: + TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' - condition: selection + filter_svchost: + # Example of target object by svchost + # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs + Image: 'C:\WINDOWS\system32\svchost.exe' + condition: selection and not 1 of filter_* falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 9313a2ea7..6b453e15e 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -19,10 +19,15 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_office2: Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_svchost: + # Example of target object by svchost + # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + Image: 'C:\WINDOWS\system32\svchost.exe' condition: selection and not 1 of filter_* falsepositives: - Legitimate use level: medium tags: - - attack.persistence - - attack.t1546.015 + - attack.persistence + - attack.t1546.015 From 47dbe6081d9f3f1e26e9035a7fb773e319429d4b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 29 Sep 2022 12:15:10 +0200 Subject: [PATCH 19/31] Update proc_creation_win_susp_conhost.yml --- .../proc_creation_win_susp_conhost.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 430e9364d..3d683d11e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2021/12/17 +modified: 2022/09/29 tags: - attack.defense_evasion - attack.t1202 @@ -16,9 +16,14 @@ logsource: detection: selection: ParentImage|endswith: '\conhost.exe' - filter: + filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - condition: selection and not filter + filter_git: + # Example FP: + # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file + Image|endswith: '\git.exe' + ParentCommandLine|contains: ' show ' + condition: selection and not 1 of filter_* fields: - Image - CommandLine From d8ff3339aa416ec9924041e3bd03f7d5517f81ad Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Sep 2022 13:31:16 +0200 Subject: [PATCH 20/31] antSword webshell --- rules/proxy/proxy_ua_malware.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 793bf6d05..b448d4123 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -10,7 +10,7 @@ references: - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents date: 2017/07/08 -modified: 2022/09/05 +modified: 2022/09/29 logsource: category: proxy detection: @@ -76,6 +76,7 @@ detection: - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/ - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update + - 'antSword/v2.1' # AntSword Webshell UA condition: selection fields: - ClientIP From c31fe50f4da9adca98559723e13cecccda1ee784 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Sep 2022 13:41:20 +0200 Subject: [PATCH 21/31] fix: FPs noticed in THOR testing --- .../create_remote_thread_win_susp_targets.yml | 6 +++- ...proc_access_win_cred_dump_lsass_access.yml | 6 +++- ...egistry_set_terminal_server_suspicious.yml | 35 +++++++++++++++++++ ...registry_set_terminal_server_tampering.yml | 13 +++---- 4 files changed, 50 insertions(+), 10 deletions(-) create mode 100644 rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 8521d3bb0..6bd381d64 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -6,7 +6,7 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 -modified: 2022/08/17 +modified: 2022/09/29 logsource: product: windows category: create_remote_thread @@ -22,6 +22,10 @@ detection: - '\explorer.exe' filter: StartFunction: 'EtwpNotificationThread' + filter_programfiles: + SourceImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index b322595a4..81022ce86 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/09/13 +modified: 2022/09/29 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -122,6 +122,10 @@ detection: filter_malwarebytes: SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' GrantedAccess: '0x1410' + filter_defender: + CallTrace|contains: + - '|c:\program files\windows defender\mprtp.dll' + - '|c:\program files\windows defender\MpClient.dll' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml new file mode 100644 index 000000000..8d8c3eb24 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -0,0 +1,35 @@ +title: RDP Sensitive Settings Changed +id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b +related: + - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c + type: similar +status: test +description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +references: + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +date: 2022/09/29 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: + - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled + - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions + - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) +level: medium +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index c41ddf350..f14fc77fe 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -5,6 +5,8 @@ related: type: obsoletes - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 type: obsoletes + - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b + type: similar status: test description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali @@ -17,6 +19,7 @@ references: - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) date: 2022/08/06 +modified: 2022/09/29 logsource: category: registry_set product: windows @@ -37,13 +40,7 @@ detection: TargetObject|contains: - '\Control\Terminal Server\' - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' - selection_terminal_services_values_0: - TargetObject|endswith: - - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled - - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions - - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established - Details: 'DWORD (0x00000000)' - selection_terminal_services_values_1: + selection_terminal_services_values: TargetObject|endswith: - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers - '\fAllowUnsolicitedFullControl' @@ -56,7 +53,7 @@ detection: - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - '\Control\Terminal Server\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. - condition: selection_shadow or (selection_terminal_services_key and 1 of selection_terminal_services_values_*) or selection_tamper_only + condition: selection_shadow or (selection_terminal_services_key and selection_terminal_services_values) or selection_tamper_only falsepositives: - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high From 14fdf75ab500a116c52227dc3681a8d9e55571e8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Sep 2022 13:51:09 +0200 Subject: [PATCH 22/31] fix: FPs noticed with THOR --- rules/windows/builtin/security/win_possible_dc_shadow.yml | 8 ++++---- .../powershell_script/posh_ps_accessing_win_api.yml | 6 +++--- .../process_access/proc_access_win_lsass_memdump.yml | 4 +++- .../registry_set_change_winevt_channelaccess.yml | 7 ++++++- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/security/win_possible_dc_shadow.yml b/rules/windows/builtin/security/win_possible_dc_shadow.yml index 4246d4891..db744f2d6 100644 --- a/rules/windows/builtin/security/win_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_possible_dc_shadow.yml @@ -1,10 +1,10 @@ -title: Possible DC Shadow +title: Possible DC Shadow Attack id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed description: Detects DCShadow via create new SPN status: experimental author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah date: 2019/10/25 -modified: 2021/07/06 +modified: 2022/09/29 references: - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml - https://twitter.com/gentilkiwi/status/1003236624925413376 @@ -26,5 +26,5 @@ detection: AttributeValue|startswith: 'GC/' condition: selection1 or selection2 falsepositives: - - Exclude known DCs -level: high + - Valid on domain controllers; exclude known DCs +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index 5d29c0819..558746b04 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -4,7 +4,7 @@ status: experimental description: Detecting use WinAPI Functions in PowerShell author: Nikita Nazarov, oscd.community, Tim Shelton date: 2020/10/06 -modified: 2022/05/23 +modified: 2022/09/29 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -41,8 +41,8 @@ detection: # - 'WriteByte' # FP with .NET System.IO.FileStream - 'WriteInt32' - 'OpenThreadToken' - - 'PtrToString' - - 'FreeHGlobal' + # - 'PtrToString' + # - 'FreeHGlobal' - 'ZeroFreeGlobalAllocUnicode' - 'OpenProcessToken' - 'GetTokenInformation' diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 1b9c6a1f3..0f20ccca4 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/03/20 +modified: 2022/09/29 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -40,6 +40,8 @@ detection: - '\thor\thor64.exe+' - '|UNKNOWN(' GrantedAccess: '0x103800' + filter_sysmon: + SourceImage: 'C:\Windows\Sysmon64.exe' condition: selection and not 1 of filter* falsepositives: - False positives are present when looking for 0x1410. Exclusions may be required. diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 234213d68..02b5704aa 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -3,6 +3,7 @@ id: 7d9263bd-dc47-4a58-bc92-5474abab390c description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel author: frack113 date: 2022/09/17 +modified: 2022/09/29 status: experimental references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ @@ -21,7 +22,11 @@ detection: - '(A;;0x1;;;SY)' # Local System having GENERIC ALL - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL - condition: selection + filter_trustedinstaller: + Image: 'C:\Windows\servicing\TrustedInstaller.exe' + filter_ti_worker: + Image|endswith: '\TiWorker.exe' + condition: selection and not 1 of filter* falsepositives: - Unknown level: high From f84cdd3b7470354633f59d16626e1951a7da4ed2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 29 Sep 2022 14:07:38 +0200 Subject: [PATCH 23/31] fix: filter definition --- .../create_remote_thread_win_susp_targets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 6bd381d64..afc3db3f9 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -26,7 +26,7 @@ detection: SourceImage|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - condition: selection and not filter + condition: selection and not 1 of filter* falsepositives: - Unknown level: high From cd8ed9870c90bfc7ab6ea272e61c95c76baa8a1e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Sep 2022 20:01:07 +0200 Subject: [PATCH 24/31] fix: FPs noticed with Aurora --- .../builtin/security/win_susp_lsass_dump_generic.yml | 4 +++- .../proc_access_win_susp_proc_access_lsass_susp_source.yml | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 41e9ead15..6a385bc5e 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -72,7 +72,9 @@ detection: filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' filter4: - ProcessName: 'C:\Windows\System32\taskhostw.exe' + ProcessName: + - 'C:\Windows\System32\taskhostw.exe' + - 'C:\Windows\System32\msiexec.exe' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 726d944dc..8e49db55b 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/09/20 +modified: 2022/09/30 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -88,6 +88,10 @@ detection: SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' SourceImage|endswith: '.tmp\GoogleUpdate.exe' GrantedAccess: '0x410' + filter_adobe_temp: + SourceImage|startswith: + - 'C:\Program Files (x86)\Common Files\Adobe\ARM\' + - 'C:\Program Files\Common Files\Adobe\ARM\' condition: selection and not 1 of filter* fields: - User From 65f531fb302048d5aa79d853bcd6e91b5849dcf2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 1 Oct 2022 16:08:27 +0200 Subject: [PATCH 25/31] rule: Exchange Exploitation --- .../file_event_win_exchange_webshell_drop.yml | 32 +++++++++++++++++ .../proc_creation_win_webshell_chopper.yml | 35 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_exchange_webshell_drop.yml create mode 100644 rules/windows/process_creation/proc_creation_win_webshell_chopper.yml diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml new file mode 100644 index 000000000..4bb3b6cc8 --- /dev/null +++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml @@ -0,0 +1,32 @@ +title: Suspicious ASPX File Drop by Exchange +id: bd1212e5-78da-431e-95fa-c58e3237a8e6 +description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +author: Florian Roth (rule), MSTI (query, idea) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ + - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html + - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\w3wp.exe' + CommandLine|contains: 'MSExchange' + TargetFilename|contains: + - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports + - '\inetpub\wwwroot\aspnet_client\' # from GTSC report + selection_types: + TargetFilename|endswith: + - '.aspx' + - '.asp' + - '.ashx' + condition: +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml new file mode 100644 index 000000000..7cc10f069 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -0,0 +1,35 @@ +title: Chopper Webshell Process Pattern +id: fa3c117a-bc0d-416e-a31b-0c0e80653efb +description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +author: Florian Roth (rule), MSTI (query) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 + - attack.t1018 + - attack.t1033 + - attack.t1087 +logsource: + category: process_creation + product: windows +detection: + selection_origin: + - Image|endswith: '\w3wp.exe' + - ParentImage|endswith: '\w3wp.exe' + selection_cmdline: + CommandLine|contains: + - '&ipconfig&echo' + - '&quser&echo' + - '&whoami&echo' + - '&c:&echo' + - '&cd&echo' + - '&dir&echo' + - '&echo [E]' + - '&echo [S]' + condition: all of selection* +falsepositives: + - Unknown +level: high From 626a362e8f94a145cf86a56385d0b3c0230ed789 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 1 Oct 2022 16:09:53 +0200 Subject: [PATCH 26/31] fix: missing condition --- .../file_event/file_event_win_exchange_webshell_drop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml index 4bb3b6cc8..c924dd891 100644 --- a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml +++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml @@ -26,7 +26,7 @@ detection: - '.aspx' - '.asp' - '.ashx' - condition: + condition: all of selection* falsepositives: - Unknown level: high From 580360b540d04af0004fcc424594080b3ff1fa08 Mon Sep 17 00:00:00 2001 From: Aaron Herman Date: Sat, 1 Oct 2022 10:52:35 -0500 Subject: [PATCH 27/31] Update description typo --- .../proc_creation_win_archiver_iso_phishing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml index 89c5e0bc0..92e0035cb 100644 --- a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml @@ -1,7 +1,7 @@ title: Phishing Pattern ISO in Archive id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1 status: experimental -description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is open a signa of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a signal of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) author: Florian Roth references: - https://twitter.com/1ZRR4H/status/1534259727059787783 From 97fab49d0977bc4796048934f918c86bc365af51 Mon Sep 17 00:00:00 2001 From: Aaron Herman Date: Sat, 1 Oct 2022 12:03:11 -0500 Subject: [PATCH 28/31] Update README for rule usage section Based on line 3 where it mentions being inside of `./tools` directory, updating line 4 to include working example that I used --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1fdeccde6..e982549dc 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2 1. Download or clone the repository 2. Check the `./rules` sub directory for an overview on the rule base 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter -4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/proc_creation_win_susp_whoami.yml` +4. Convert a rule of your choice with `sigmac` like `./sigmac -t es-qs -c config/winlogbeat.yml ../rules/windows/process_creation/proc_creation_win_susp_whoami.yml` 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/` 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment From 0612aec224b55a4713db05acd95b7772edfdfb41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 1 Oct 2022 20:10:41 +0200 Subject: [PATCH 29/31] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e982549dc..38d1e6b26 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2 1. Download or clone the repository 2. Check the `./rules` sub directory for an overview on the rule base 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter -4. Convert a rule of your choice with `sigmac` like `./sigmac -t es-qs -c config/winlogbeat.yml ../rules/windows/process_creation/proc_creation_win_susp_whoami.yml` +4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c config/generic/sysmon.yml ../rules/windows/process_creation/proc_creation_win_susp_whoami.yml` 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/` 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment From 93004a3fd5b391af2495d02ec85714f603469150 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 2 Oct 2022 10:21:04 +0200 Subject: [PATCH 30/31] Update proc_creation_win_archiver_iso_phishing.yml --- .../proc_creation_win_archiver_iso_phishing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml index 92e0035cb..9d5158da4 100644 --- a/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml @@ -1,7 +1,7 @@ title: Phishing Pattern ISO in Archive id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1 status: experimental -description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a signal of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) author: Florian Roth references: - https://twitter.com/1ZRR4H/status/1534259727059787783 From 161c8e6c2c3ebc41a28492c3d8b2f07ddc7f0ae2 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Mon, 3 Oct 2022 11:56:06 -0400 Subject: [PATCH 31/31] Update proc_creation_win_lolbins_by_office_applications.yml Adding msidb.exe references are below. https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A --- .../proc_creation_win_lolbins_by_office_applications.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml index 1a9307dc5..c9a5764a9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml @@ -6,7 +6,9 @@ references: - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml -author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag' + - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A + - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)' tags: - attack.t1204.002 - attack.t1047 @@ -15,7 +17,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 -modified: 2022/07/20 +modified: 2022/10/03 logsource: product: windows category: process_creation @@ -30,6 +32,7 @@ detection: - '\verclsid.exe' - '\msdt.exe' - '\control.exe' + - '\msidb.exe' ParentImage|endswith: - '\winword.exe' - '\excel.exe'