From f98279bf1fccc771785650ac93dd981fd5712440 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Apr 2022 17:36:57 +0200 Subject: [PATCH 1/3] rule: Cube0x0 tools --- .../proc_creation_win_hack_cube0x0_tools.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml diff --git a/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml new file mode 100644 index 000000000..bfbd584b7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml @@ -0,0 +1,18 @@ +title: Hacktool by Cube0x0 +id: 37c1333a-a0db-48be-b64b-7393b2386e3b +status: experimental +description: Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.) +author: Florian Roth +references: + - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files +date: 2022/04/27 +logsource: + category: process_creation + product: windows +detection: + selection_company: # in case the file has been renamed after compilation + Company: 'Cube0x0' + condition: selection +falsepositives: + - Unlikely +level: high From e237560c07fb31efd18e989ad2c4105918a39804 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Apr 2022 17:37:10 +0200 Subject: [PATCH 2/3] rule: KrbRelay --- .../proc_creation_win_hack_krbrelay.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml diff --git a/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml new file mode 100644 index 000000000..a3e7fb14f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml @@ -0,0 +1,38 @@ +title: KrbRelay Hack Tool +id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 +status: experimental +description: Detects the use of KrbRelay, a Kerberos relaying tool +author: Florian Roth +references: + - https://github.com/cube0x0/KrbRelay +date: 2022/04/27 +logsource: + category: process_creation + product: windows +detection: + selection_name: + Image|endswith: '\KrbRelay.exe' + selection_original_name: # in case the file has been renamed after compilation + OriginalFilename: 'KrbRelay.exe' + selection_flags1: + CommandLine|contains|all: + - ' -spn ' + - ' -clsid ' + - ' -rbcd ' + selection_flags2: + CommandLine|contains|all: + - 'shadowcred' + - 'clsid' + - 'spn' + selection_flags3: + CommandLine|contains|all: + - 'spn ' + - 'session ' + - 'clsid ' + condition: 1 of selection* +falsepositives: + - Unlikely +level: high +tags: + - attack.credential_access + - attack.t1558.003 From 7e3064e032f387e50c46487c80c10528a3ba0600 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Apr 2022 17:39:01 +0200 Subject: [PATCH 3/3] fix: selection identifier --- .../process_creation/proc_creation_win_hack_cube0x0_tools.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml index bfbd584b7..0e99f10a7 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml @@ -4,13 +4,14 @@ status: experimental description: Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.) author: Florian Roth references: + - https://github.com/cube0x0 - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files date: 2022/04/27 logsource: category: process_creation product: windows detection: - selection_company: # in case the file has been renamed after compilation + selection: Company: 'Cube0x0' condition: selection falsepositives: