From fe2e279cfae1d703f24b6a0756f3f615ad29fcdd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 4 Aug 2022 16:18:51 +0100 Subject: [PATCH] Add more comsvcs variations Based on this https://twitter.com/Wietze/status/1542107456507203586 --- other/godmode_sigma_rule.yml | 5 +- ...tion_win_process_dump_rundll32_comsvcs.yml | 37 ++-- ...roc_creation_win_susp_comsvcs_procdump.yml | 34 ---- .../proc_creation_win_webshell_hacking.yml | 171 +++++++++--------- 4 files changed, 112 insertions(+), 135 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml index b74c8723b..9d017bc40 100644 --- a/other/godmode_sigma_rule.yml +++ b/other/godmode_sigma_rule.yml @@ -19,7 +19,7 @@ description: 'PoC rule to detect malicious activity - following the principle: i status: experimental author: Florian Roth date: 2019/12/22 -modified: 2022/07/14 +modified: 2022/08/04 level: high action: global --- @@ -56,6 +56,9 @@ detection: - ' comsvcs.dll,#24' # Process dumping method apart from procdump - ' comsvcs.dll MiniDump' # Process dumping method apart from procdump - ' comsvcs.dll #24' # Process dumping method apart from procdump + - ' comsvcs `#' # Process dumping method apart from procdump + - ' comsvcs #' # Process dumping method apart from procdump + - ' comsvcs MiniDump' # Process dumping method apart from procdump - '.dmp full' # Process dumping method apart from procdump selection_parent_child: ParentImage|contains: diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 9bacedfbd..4143a47ad 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -1,36 +1,43 @@ title: Process Dump via Rundll32 and Comsvcs.dll id: 646ea171-dded-4578-8a4d-65e9822892e3 -description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll -status: experimental +related: + - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c + type: obsoletes +description: Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc) +status: test references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 - https://twitter.com/Hexacorn/status/1224848930795552769 -author: Florian Roth + - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + - https://twitter.com/SBousseaden/status/1167417096374050817 + - https://twitter.com/Wietze/status/1542107456507203586 +author: Florian Roth, Modexp, Nasreddine Bencherchali (update) date: 2020/02/18 -modified: 2021/12/08 +modified: 2022/08/04 tags: - attack.defense_evasion - - attack.t1036 - attack.credential_access - - car.2013-05-009 + - attack.t1036 - attack.t1003.001 + - car.2013-05-009 logsource: category: process_creation product: windows detection: - selection_comsvcs: - CommandLine|contains: - - 'comsvcs.dll' - - 'rundll32' - - '.dmp' - selection_function: + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + - CommandLine|contains: 'rundll32' + selection_cli: + CommandLine|contains|all: + - 'comsvcs' + - 'full' Commandline|contains: + - '24 ' - '#24' - '#+24' - - 'MiniDump' - selection_full: - CommandLine|contains: ' full' + - 'MiniDump' #Matches MiniDump and MinidumpW unique_selection: CommandLine|contains: '#-4294967272' # https://twitter.com/Hexacorn/status/1224848930795552769 condition: all of selection* or unique_selection diff --git a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml deleted file mode 100644 index 99c9321c1..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Process Dump via Comsvcs DLL -id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c -status: test -description: Detects process memory dump via comsvcs.dll and rundll32 -author: Modexp (idea) -references: - - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ - - https://twitter.com/SBousseaden/status/1167417096374050817 -date: 2019/09/02 -modified: 2022/07/28 -logsource: - category: process_creation - product: windows -detection: - selection__img: - - Image|endswith: '\rundll32.exe' - - OriginalFileName: 'RUNDLL32.EXE' - selection_cli: - CommandLine|contains|all: - - 'comsvcs' - - 'MiniDump' #Matches MiniDump and MinidumpW - - 'full' - condition: all of selection_* -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.credential_access - - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index 75b3ec1fa..dec7ea760 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -4,95 +4,96 @@ description: Detects certain parent child patterns found in cases in which a web author: Florian Roth status: experimental references: - - https://youtu.be/7aemGhaE9ds?t=641 + - https://youtu.be/7aemGhaE9ds?t=641 date: 2022/03/17 +modified: 2022/08/04 tags: - - attack.persistence - - attack.t1505.003 - - attack.t1018 - - attack.t1033 - - attack.t1087 + - attack.persistence + - attack.t1505.003 + - attack.t1018 + - attack.t1033 + - attack.t1087 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: # Webserver - selection_webserver_image: - ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - - '\caddy.exe' - - '\ws_tomcatservice.exe' - selection_webserver_characteristics_tomcat1: - ParentImage|endswith: - - '\java.exe' - - '\javaw.exe' - ParentImage|contains: - - '-tomcat-' - - '\tomcat' - selection_webserver_characteristics_tomcat2: - ParentImage|endswith: - - '\java.exe' - - '\javaw.exe' - CommandLine|contains: - - 'catalina.jar' - - 'CATALINA_HOME' - # Suspicious child processes - selection_child_1: - # Process dumping - CommandLine|contains|all: - - 'rundll32' - - 'comsvcs.dll' - selection_child_2: - # Winrar exfil - CommandLine|contains|all: - - ' -hp' - - ' a ' - - ' -m' - selection_child_3: - # User add - CommandLine|contains|all: - - 'net' - - ' user ' - - ' /add' - selection_child_4: - CommandLine|contains|all: - - 'net' - - ' localgroup ' - - ' administrators ' - - '/add' - selection_child_5: - Image|endswith: - # Credential stealing - - '\ntdsutil.exe' - # AD recon - - '\ldifde.exe' - - '\adfind.exe' - # Process dumping - - '\procdump.exe' - - '\Nanodump.exe' - # Destruction / ransom groups - - '\vssadmin.exe' - - '\fsutil.exe' - selection_child_6: - # SUspicious patterns - CommandLine|contains: - - ' -NoP ' # Often used in malicious PowerShell commands - - ' -W Hidden ' # Often used in malicious PowerShell commands - - ' -decode ' # Used with certutil - - ' /decode ' # Used with certutil - - 'reg save ' # save registry SAM - syskey extraction - - '.downloadstring(' # PowerShell download command - - '.downloadfile(' # PowerShell download command - - 'FromBase64String' # PowerShell encoded payload - - ' /ticket:' # Rubeus - - ' sekurlsa' # Mimikatz - - '.dmp full' # Process dumping method apart from procdump - - 'process call create' # WMIC process creation - - 'whoami /priv' - condition: 1 of selection_webserver* and 1 of selection_child* + selection_webserver_image: + ParentImage|endswith: + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + - '\caddy.exe' + - '\ws_tomcatservice.exe' + selection_webserver_characteristics_tomcat1: + ParentImage|endswith: + - '\java.exe' + - '\javaw.exe' + ParentImage|contains: + - '-tomcat-' + - '\tomcat' + selection_webserver_characteristics_tomcat2: + ParentImage|endswith: + - '\java.exe' + - '\javaw.exe' + CommandLine|contains: + - 'catalina.jar' + - 'CATALINA_HOME' + # Suspicious child processes + selection_child_1: + # Process dumping + CommandLine|contains|all: + - 'rundll32' + - 'comsvcs' + selection_child_2: + # Winrar exfil + CommandLine|contains|all: + - ' -hp' + - ' a ' + - ' -m' + selection_child_3: + # User add + CommandLine|contains|all: + - 'net' + - ' user ' + - ' /add' + selection_child_4: + CommandLine|contains|all: + - 'net' + - ' localgroup ' + - ' administrators ' + - '/add' + selection_child_5: + Image|endswith: + # Credential stealing + - '\ntdsutil.exe' + # AD recon + - '\ldifde.exe' + - '\adfind.exe' + # Process dumping + - '\procdump.exe' + - '\Nanodump.exe' + # Destruction / ransom groups + - '\vssadmin.exe' + - '\fsutil.exe' + selection_child_6: + # SUspicious patterns + CommandLine|contains: + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' -decode ' # Used with certutil + - ' /decode ' # Used with certutil + - 'reg save ' # save registry SAM - syskey extraction + - '.downloadstring(' # PowerShell download command + - '.downloadfile(' # PowerShell download command + - 'FromBase64String' # PowerShell encoded payload + - ' /ticket:' # Rubeus + - ' sekurlsa' # Mimikatz + - '.dmp full' # Process dumping method apart from procdump + - 'process call create' # WMIC process creation + - 'whoami /priv' + condition: 1 of selection_webserver* and 1 of selection_child* falsepositives: - - Unlikely + - Unlikely level: high