OSCD Task 1 - Privilege Escalation

rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

@@ -0,0 +1,33 @@
+title: Meterpreter or Cobalt Strike getsystem service installation
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+    - attack.privilege_escalation
+    - attack.t1134
+logsource:
+    product: windows
+    service: system
+detection:
+    service_installation_event:
+        EventID:
+            - 7045
+            - 4697
+    cmd_or_comspec:
+        ServiceFileName:
+            - '*cmd*'
+            - '*COMSPEC*'
+    getsystem_technique_1:
+        ServiceFileName: '*/c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+    getsystem_technique_2:
+        ServiceFileName: '*rundll32*.dll,a /p:*'        #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
+    condition: service_installation_event and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2)
+fields:
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical

rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml

@@ -0,0 +1,29 @@
+title: Meterpreter or Cobalt Strike getsystem service start
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+    - attack.privilege_escalation
+    - attack.t1134
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    service_start:
+        ParentImage: '*\services.exe'
+    cmd_or_comspec:
+        CommandLine:
+            - '*cmd*'
+            - '*COMSPEC*'
+    getsystem_technique_1:
+        CommandLine: '*/c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+    getsystem_technique_2:
+        CommandLine: '*rundll32*.dll,a /p:*'        #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
+    condition: service_start and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2)
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical

rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml

@@ -0,0 +1,31 @@
+title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM
+description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
+tags:
+    - attack.privilege_escalation
+    - attack.t11134
+status: experimental
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentUser:
+            - 'NT AUTHORITY\NETWORK SERVICE'
+            - 'NT AUTHORITY\LOCAL SERVICE'
+        User: 'NT AUTHORITY\SYSTEM'
+    rundllexception:
+        Image: '*\rundll32.exe'
+        CommandLine: '*DavSetCookie*'
+    condition: selection and not rundllexception
+falsepositives:
+    - Unknown
+    - Penetration Test
+level: high
+enrichment:
+    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
+    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l

rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml

@@ -0,0 +1,27 @@
+title: Possible privilege escalation via weak service permissions
+description: Detection of sc utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand 
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://pentestlab.blog/2017/03/30/weak-service-permissions/
+tags:
+    - attack.privilege_escalation
+    - attack.t11134
+status: experimental
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    scbynonadmin:
+        Image: '*\sc.exe'
+        IntegrityLevel: 'Medium'
+    binpath:
+        CommandLine: '*config*binPath*'
+    failurecommand:
+        CommandLine: '*failure*command*'
+    condition: scbynonadmin and (binpath or failurecommand)
+falsepositives:
+    - Unknown
+    - Penetration Test
+level: high

rules/windows/process_creation/win_whoami_as_system.yml

@@ -0,0 +1,24 @@
+
+title: Run whoami as SYSTEM
+status: experimental
+description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+author: Teymur Kheirkhabarov
+date: 2019/10/23
+tags:
+    - attack.discovery
+    - attack.privilege_escalation
+    - attack.t1033
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\whoami.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+    - Penetration Test
+level: high

rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

@@ -0,0 +1,30 @@
+title: Possible privilege escalation via service registry permissions weakness
+description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
+tags:
+    - attack.privilege_escalation
+    - attack.t1058
+status: experimental
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        EventID: 13
+        IntegrityLevel: 'Medium'
+        TargetObject":
+            - '*\services\*\ImagePath'
+            - '*\services\*\FailureCommand'
+            - '*\services\*\Parameters\ServiceDll'
+    condition: selection
+falsepositives:
+    - Unknown
+    - Penetration Test
+level: high
+enrichment:
+    - EN_0001_cache_sysmon_event_id_1_info                      # http://bit.ly/314zc6x
+    - EN_0003_enrich_other_sysmon_events_with_event_id_1_data   # http://bit.ly/2ojW7fw