diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 000000000..3daad5999 --- /dev/null +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,33 @@ +title: Meterpreter or Cobalt Strike getsystem service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +author: Teymur Kheirkhabarov +date: 2019/10/26 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +logsource: + product: windows + service: system +detection: + service_installation_event: + EventID: + - 7045 + - 4697 + cmd_or_comspec: + ServiceFileName: + - '*cmd*' + - '*COMSPEC*' + getsystem_technique_1: + ServiceFileName: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_technique_2: + ServiceFileName: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + condition: service_installation_event and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) +fields: + - ServiceFileName +falsepositives: + - Penetration Test + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml new file mode 100644 index 000000000..5baa1fc05 --- /dev/null +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -0,0 +1,29 @@ +title: Meterpreter or Cobalt Strike getsystem service start +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +author: Teymur Kheirkhabarov +date: 2019/10/26 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +logsource: + category: process_creation + product: windows +detection: + service_start: + ParentImage: '*\services.exe' + cmd_or_comspec: + CommandLine: + - '*cmd*' + - '*COMSPEC*' + getsystem_technique_1: + CommandLine: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_technique_2: + CommandLine: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + condition: service_start and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) +falsepositives: + - Penetration Test + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml new file mode 100644 index 000000000..822ad0596 --- /dev/null +++ b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml @@ -0,0 +1,31 @@ +title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ +tags: + - attack.privilege_escalation + - attack.t11134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentUser: + - 'NT AUTHORITY\NETWORK SERVICE' + - 'NT AUTHORITY\LOCAL SERVICE' + User: 'NT AUTHORITY\SYSTEM' + rundllexception: + Image: '*\rundll32.exe' + CommandLine: '*DavSetCookie*' + condition: selection and not rundllexception +falsepositives: + - Unknown + - Penetration Test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml new file mode 100644 index 000000000..6d84e3798 --- /dev/null +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -0,0 +1,27 @@ +title: Possible privilege escalation via weak service permissions +description: Detection of sc utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/30/weak-service-permissions/ +tags: + - attack.privilege_escalation + - attack.t11134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + scbynonadmin: + Image: '*\sc.exe' + IntegrityLevel: 'Medium' + binpath: + CommandLine: '*config*binPath*' + failurecommand: + CommandLine: '*failure*command*' + condition: scbynonadmin and (binpath or failurecommand) +falsepositives: + - Unknown + - Penetration Test +level: high diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml new file mode 100644 index 000000000..7ded24ef3 --- /dev/null +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -0,0 +1,24 @@ + +title: Run whoami as SYSTEM +status: experimental +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +author: Teymur Kheirkhabarov +date: 2019/10/23 +tags: + - attack.discovery + - attack.privilege_escalation + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + User: 'NT AUTHORITY\SYSTEM' + Image: '*\whoami.exe' + condition: selection +falsepositives: + - Unknown + - Penetration Test +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml new file mode 100644 index 000000000..e62f91440 --- /dev/null +++ b/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -0,0 +1,30 @@ +title: Possible privilege escalation via service registry permissions weakness +description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ +tags: + - attack.privilege_escalation + - attack.t1058 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + EventID: 13 + IntegrityLevel: 'Medium' + TargetObject": + - '*\services\*\ImagePath' + - '*\services\*\FailureCommand' + - '*\services\*\Parameters\ServiceDll' + condition: selection +falsepositives: + - Unknown + - Penetration Test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw