diff --git a/README.md b/README.md index 3beca5442..8e1d39f52 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,9 @@ E.g. * Tell us about false positives (issues section) * Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule +In order to enhance or fix some issues with a specific PR we might ask the author for some additional input. +In such cases, the PR will be tagged with "Author Input Required". If the author of the PR does not respond in a timely manner the PR will automatically be closed after 1 month of inactivity. + ## Work on open issues The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation. diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml new file mode 100644 index 000000000..b1220facd --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -0,0 +1,26 @@ +title: Potential CVE-2023-36884 Exploitation Dropped File +id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 +status: experimental +description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit + - https://twitter.com/wdormann/status/1679184475677130755 + - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2023/07/13 +tags: + - attack.persistence + - attack.defense_evasion + - cve.2023.36884 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\' + TargetFilename|endswith: '\file001.url' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml new file mode 100644 index 000000000..d5a2d8c51 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -0,0 +1,22 @@ +title: Potential CVE-2023-36884 Exploitation Pattern +id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc +status: experimental +description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: '/MSHTML_C7/' + c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml new file mode 100644 index 000000000..4f32a5902 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -0,0 +1,24 @@ +title: Potential CVE-2303-36884 URL Request Pattern Traffic +id: d9365e39-febd-4a4b-8441-3ca91bb9d333 +status: experimental +description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + category: proxy +detection: + # Examples: + # hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99. + # 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_ + selection: + cs-method: 'GET' + c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml new file mode 100644 index 000000000..abfa61ea9 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -0,0 +1,32 @@ +title: Potential CVE-2023-36884 Exploitation - File Downloads +id: 6af1617f-c179-47e3-bd66-b28034a1052d +status: experimental +description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: + - '/ex001.url' + - '/file001.search-ms' + - '/file001.url' + - '/file001.vbs' + - '/file1.mht' + - '/o2010.asp' + - '/redir_obj.html' + - '/RFile.asp' + - '/zip_k.asp' + - '/zip_k2.asp' + - '/zip_k3.asp' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml new file mode 100644 index 000000000..af236df6b --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -0,0 +1,21 @@ +title: Potential CVE-2023-36884 Exploitation - URL Marker +id: e59f71ff-c042-4f7a-8a82-8f53beea817e +status: experimental +description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: '/MSHTML_C7/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml new file mode 100644 index 000000000..9e9d57a5c --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -0,0 +1,28 @@ +title: Potential CVE-2023-36884 Exploitation - Share Access +id: 3df95076-9e78-4e63-accb-16699c3b74f8 +status: experimental +description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' +detection: + selection_eid: + EventID: 5140 + selection_share_name: + ShareName|contains: '\MSHTML_C7\' + ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + selection_share_path: + ShareLocalPath|contains: '\MSHTML_C7\' + ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection_eid and 1 of selection_share_* +falsepositives: + - Unknown +level: high diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml new file mode 100644 index 000000000..50b32bc54 --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -0,0 +1,31 @@ +title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet +id: ea207a23-b441-4a17-9f76-ad5be47d51d3 +status: experimental +description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. +references: + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps +author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +date: 2023/07/13 +tags: + - detection.threat_hunting + - attack.discovery + - attack.t1518.001 + - attack.t1016 +logsource: + product: windows + category: ps_module + definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b +detection: + selection_payload: + Payload|contains: + - 'Get-NetFirewallRule' + - 'Show-NetFirewallRule' + selection_contextinfo: + ContextInfo|contains: + - 'Get-NetFirewallRule' + - 'Show-NetFirewallRule' + condition: 1 of selection_* +falsepositives: + - Administration scripts +level: low diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml new file mode 100644 index 000000000..2ef3a4d9b --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -0,0 +1,23 @@ +title: Windows Mail App Mailbox Access Via PowerShell Script +id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 +status: experimental +description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md +author: frack113 +date: 2023/07/08 +tags: + - attack.defense_evasion + - attack.t1070.008 + - detection.threat_hunting +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains: '\Comms\Unistore\data' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml new file mode 100644 index 000000000..3369c27b5 --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -0,0 +1,28 @@ +title: Potential Registry Reconnaissance Via PowerShell Script +id: 064060aa-09fb-4636-817f-020a32aa7e9e +related: + - id: 970007b7-ce32-49d0-a4a4-fbef016950bd + type: similar +status: experimental +description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md +author: frack113 +date: 2023/07/02 +tags: + - attack.discovery + - attack.t1012 + - attack.t1007 + - detection.threat_hunting +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + # TODO: switch to |re|i: after sigma specification v2 is released + ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\' + condition: selection +falsepositives: + - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. +level: medium diff --git a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml new file mode 100644 index 000000000..6755f3547 --- /dev/null +++ b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml @@ -0,0 +1,27 @@ +title: AWS IAM S3Browser LoginProfile Creation +id: db014773-b1d3-46bd-ba26-133337c0ffee +status: experimental +description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. +references: + - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +author: daniel.bohannon@permiso.io (@danielhbohannon) +date: 2023/05/17 +tags: + - attack.execution + - attack.persistence + - attack.t1059.009 + - attack.t1078.004 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'iam.amazonaws.com' + eventName: + - 'GetLoginProfile' + - 'CreateLoginProfile' + userAgent|contains: 'S3 Browser' + condition: selection +falsepositives: + - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation +level: high diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 9eeebb88d..1e53895de 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -23,7 +23,7 @@ detection: selection: c-useragent: # RATs - - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK + - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 diff --git a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml new file mode 100644 index 000000000..9340c6090 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml @@ -0,0 +1,33 @@ +title: Suspicious Office Outbound Connections +id: 3b5ba899-9842-4bc2-acc2-12308498bf42 +status: experimental +description: Detects office suit applications communicating to target systems on uncommon ports +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.defense_evasion + - attack.command_and_control +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: + - '\excel.exe' + - '\outlook.exe' + - '\powerpnt.exe' + - '\winword.exe' + - '\wordpad.exe' + - '\wordview.exe' + filter_main_ports: + DestinationPort: + - 139 + - 443 + - 445 + - 80 + condition: selection and not 1 of filter_main_* +falsepositives: + - Other ports can be used, apply additional filters accordingly +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml new file mode 100644 index 000000000..55bcb8aa4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -0,0 +1,32 @@ +title: PowerShell Script Change Permission Via Set-Acl - PsScript +id: cae80281-ef23-44c5-873b-fd48d2666f49 +related: + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell scripts set ACL to of a file or a folder +references: + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1222 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains|all: + - 'Set-Acl ' + - '-AclObject ' + - '-Path ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml new file mode 100644 index 000000000..6dd1f8085 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -0,0 +1,49 @@ +title: PowerShell Set-Acl On Windows Folder - PsScript +id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived +status: experimental +description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +references: + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1222 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection_cmdlet: + ScriptBlockText|contains|all: + - 'Set-Acl ' + - '-AclObject ' + selection_paths: + # Note: Add more suspicious paths + ScriptBlockText|contains: + - '-Path "C:\Windows' + - '-Path "C:/Windows' + - "-Path 'C:\\Windows" + - "-Path 'C:/Windows" + - '-Path C:\\Windows' + - '-Path C:/Windows' + - '-Path $env:windir' + - '-Path "$env:windir' + - "-Path '$env:windir" + selection_permissions: + # Note: Add more suspicious permissions + ScriptBlockText|contains: + - 'FullControl' + - 'Allow' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index a997c77f2..b72143303 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -7,7 +7,7 @@ references: - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ author: frack113 date: 2021/07/07 -modified: 2023/02/03 +modified: 2023/07/18 tags: - attack.defense_evasion - attack.t1562.001 @@ -30,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml new file mode 100644 index 000000000..5dbc22e03 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -0,0 +1,38 @@ +title: PowerShell Script Change Permission Via Set-Acl +id: bdeb2cff-af74-4094-8426-724dc937f20a +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell execution to set the ACL of a file or a folder +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/10/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + selection_cmdlet: + CommandLine|contains|all: + - 'Set-Acl ' + - '-AclObject ' + - '-Path ' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml new file mode 100644 index 000000000..b9a60ecb7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -0,0 +1,49 @@ +title: PowerShell Set-Acl On Windows Folder +id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/10/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + selection_cmdlet: + CommandLine|contains|all: + - 'Set-Acl ' + - '-AclObject ' + selection_paths: + # Note: Add more suspicious paths + CommandLine|contains: + - '-Path "C:\Windows' + - "-Path 'C:\\Windows" + - '-Path %windir%' + - '-Path $env:windir' + selection_permissions: + # Note: Add more suspicious permissions + CommandLine|contains: + - 'FullControl' + - 'Allow' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/tests/cti b/tests/cti index a89063049..340ee4525 160000 --- a/tests/cti +++ b/tests/cti @@ -1 +1 @@ -Subproject commit a89063049d8440b23100fc40e0cca06f748d0b8f +Subproject commit 340ee452560dcc41c03664637611e529a11bedf2