From 9b550f6858eab1010fff48ad2de085de95479894 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 9 Jan 2023 10:19:41 +0100 Subject: [PATCH 1/2] Add win_vhdmp_mount_iso --- .../builtin/vhdmp/win_vhdmp_mount_iso.yml | 23 +++++++++++++++++++ tests/logsource.json | 3 ++- tools/config/elk-windows.yml | 5 ++++ tools/config/elk-winlogbeat-sp.yml | 5 ++++ tools/config/elk-winlogbeat.yml | 5 ++++ tools/config/fireeye-helix.yml | 5 ++++ tools/config/generic/windows-services.yml | 8 ++++++- tools/config/hawk.yml | 5 ++++ tools/config/logpoint-windows.yml | 5 ++++ tools/config/logstash-windows.yml | 5 ++++ tools/config/powershell.yml | 7 +++++- tools/config/splunk-windows.yml | 5 ++++ tools/config/sumologic.yml | 5 ++++ tools/config/thor.yml | 5 ++++ tools/config/winlogbeat-modules-enabled.yml | 5 ++++ tools/config/winlogbeat-old.yml | 5 ++++ tools/config/winlogbeat.yml | 5 ++++ tools/config/zircolite.yml | 7 +++++- 18 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml diff --git a/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml b/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml new file mode 100644 index 000000000..257b09f7e --- /dev/null +++ b/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml @@ -0,0 +1,23 @@ +title: Windows Iso Mount +id: ff7ff483-79ab-4434-bbbb-6e1b2b5b0cce +status: experimental +description: Detects a ISO file has been mount in explorer +references: + - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ +author: frack113 +date: 2023/01/09 +tags: + - attack.initial_access +logsource: + product: windows + service: vhdmp +detection: + selection: + EventID: + - 1 + - 12 + - 25 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index af0264b4f..925d9806e 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -86,7 +86,8 @@ "dns-server":[], "printservice-admin":[], "msexchange-management":[], - "applocker":[] + "applocker":[], + "vhdmp":[] } }, "linux":{ diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 458f64607..fbc7f26be 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -114,4 +114,9 @@ logsources: service: bitlocker conditions: EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventLog: 'Microsoft-Windows-VHDMP-Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 90f764db2..90684e8a8 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP-Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index cb0d4e24a..12c12844b 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: logname: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + logname: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index ff57115d1..f1bdce047 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -142,6 +142,11 @@ logsources: service: bitlocker conditions: channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + channel: 'Microsoft-Windows-VHDMP-Operational' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 813e34ee4..d8cbb3456 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -192,4 +192,10 @@ logsources: product: windows service: ldap_debug conditions: - Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file + Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Provider_Name: 'Microsoft-Windows-VHDMP-Operational' + \ No newline at end of file diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 630ef12c7..c32fb1483 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -128,6 +128,11 @@ logsources: service: bits-client conditions: event_channel: "Microsoft-Windows-Bits-Client/Operational" + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_channel: 'Microsoft-Windows-VHDMP-Operational' windows-network-connection: product: windows category: network_connection diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index f7faa953f..ee500508b 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_source: 'Microsoft-Windows-VHDMP-Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 48bcf02c0..3ac6dcb3b 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -135,4 +135,9 @@ logsources: service: bitlocker conditions: Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 556051e6c..43da93080 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -155,4 +155,9 @@ logsources: product: windows service: bitlocker conditions: - LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' \ No newline at end of file + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + LogName: 'Microsoft-Windows-VHDMP-Operational' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 1df7507d0..5c0daafeb 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -176,5 +176,10 @@ logsources: service: windefend conditions: source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'Microsoft-Windows-VHDMP-Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index d23d40698..a496b4b44 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -145,6 +145,11 @@ logsources: service: bitlocker conditions: source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'Microsoft-Windows-VHDMP-Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 5eb6437e4..89df6a371 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -419,6 +419,11 @@ logsources: service: bitlocker sources: - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp: + product: windows + service: vhdmp + sources: + - 'Microsoft-Windows-VHDMP-Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index ce55c210f..7d8189e32 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -159,6 +159,11 @@ logsources: service: bitlocker conditions: winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 6234fc1ed..f0dc37930 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -122,6 +122,11 @@ logsources: service: bitlocker conditions: log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 7948fcf8c..b2716b44c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -148,6 +148,11 @@ logsources: service: bitlocker conditions: winlog.channel: 'bitlocker' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index 302589b0a..4cc5d945f 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -113,4 +113,9 @@ logsources: product: windows service: bits-client conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-vhdmp-Operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP-Operational' From b75c1de196b4af764dc6e9c1e2c759b8631ea578 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 11 Jan 2023 17:59:10 +0100 Subject: [PATCH 2/2] Delete win_vhdmp_mount_iso.yml --- .../builtin/vhdmp/win_vhdmp_mount_iso.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml diff --git a/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml b/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml deleted file mode 100644 index 257b09f7e..000000000 --- a/rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Windows Iso Mount -id: ff7ff483-79ab-4434-bbbb-6e1b2b5b0cce -status: experimental -description: Detects a ISO file has been mount in explorer -references: - - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ -author: frack113 -date: 2023/01/09 -tags: - - attack.initial_access -logsource: - product: windows - service: vhdmp -detection: - selection: - EventID: - - 1 - - 12 - - 25 - condition: selection -falsepositives: - - Unknown -level: medium