Merge pull request #505 from darkquasar/master
Adding rule Suspicious In-Memory Module Execution
This commit is contained in:
yugoslavskiy
@@ -2,20 +2,27 @@ title: Suspicious PowerShell Keywords
|
||||
status: experimental
|
||||
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
|
||||
date: 2019/02/11
|
||||
author: Florian Roth
|
||||
author: Florian Roth, Perez Diego (@darkquassar)
|
||||
references:
|
||||
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
|
||||
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
|
||||
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1086
|
||||
logsource:
|
||||
product: windows
|
||||
service: powershell
|
||||
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
||||
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
|
||||
detection:
|
||||
keywords:
|
||||
Message:
|
||||
- "*[System.Reflection.Assembly]::Load*"
|
||||
Message:
|
||||
- "System.Reflection.Assembly.Load"
|
||||
- "[System.Reflection.Assembly]::Load"
|
||||
- "[Reflection.Assembly]::Load"
|
||||
- "System.Reflection.AssemblyName"
|
||||
- "Reflection.Emit.AssemblyBuilderAccess"
|
||||
- "Runtime.InteropServices.DllImportAttribute"
|
||||
- "SuspendThread"
|
||||
condition: keywords
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
title: Suspicious In-Memory Module Execution
|
||||
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
|
||||
status: experimental
|
||||
date: 27/10/2019
|
||||
author: Perez Diego (@darkquassar), oscd.community
|
||||
references:
|
||||
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.T1055
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection_01:
|
||||
EventID: 10
|
||||
CallTrace:
|
||||
- "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)"
|
||||
- "*UNKNOWN(*)|UNKNOWN(*)"
|
||||
selection_02:
|
||||
EventID: 10
|
||||
CallTrace: "*UNKNOWN*"
|
||||
granted_access:
|
||||
GrantedAccess:
|
||||
- "0x1F0FFF"
|
||||
- "0x1F1FFF"
|
||||
- "0x143A"
|
||||
- "0x1410"
|
||||
- "0x1010"
|
||||
- "0x1F2FFF"
|
||||
- "0x1F3FFF"
|
||||
- "0x1FFFFF"
|
||||
condition: selection_01 OR (selection_02 AND granted_access)
|
||||
level: critical
|
||||
falsepositives:
|
||||
- Low
|
||||
@@ -0,0 +1,57 @@
|
||||
title: Dumping Lsass.exe memory with MiniDumpWriteDump API
|
||||
status: experimental
|
||||
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
|
||||
date: 27/10/2019
|
||||
modified: 2019/11/13
|
||||
author: Perez Diego (@darkquassar), oscd.community
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
|
||||
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
|
||||
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.T1003
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
signedprocess:
|
||||
EventID: 7
|
||||
ImageLoaded|endswith:
|
||||
- '\dbghelp.dll'
|
||||
- '\dbgcore.dll'
|
||||
Image|endswith:
|
||||
- '\msbuild.exe'
|
||||
- '\cmd.exe'
|
||||
- '\svchost.exe'
|
||||
- '\rundll32.exe'
|
||||
- '\powershell.exe'
|
||||
- '\word.exe'
|
||||
- '\excel.exe'
|
||||
- '\powerpnt.exe'
|
||||
- '\outlook.exe'
|
||||
- '\monitoringhost.exe'
|
||||
- '\wmic.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\bash.exe'
|
||||
- '\wscript.exe'
|
||||
- '\cscript.exe'
|
||||
- '\mshta.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\schtasks.exe'
|
||||
- '\dnx.exe'
|
||||
- '\regsvcs.exe'
|
||||
- '\sc.exe'
|
||||
- '\scriptrunner.exe'
|
||||
unsignedprocess:
|
||||
EventID: 7
|
||||
ImageLoaded|endswith:
|
||||
- '\dbghelp.dll'
|
||||
- '\dbgcore.dll'
|
||||
Signed: "FALSE"
|
||||
filter:
|
||||
Image|contains: 'Visual Studio'
|
||||
condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
level: critical
|
||||
@@ -0,0 +1,75 @@
|
||||
title: Suspicious Remote Thread Created
|
||||
description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
|
||||
notes:
|
||||
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
|
||||
status: experimental
|
||||
date: 27/10/2019
|
||||
modified: 2019/11/13
|
||||
author: Perez Diego (@darkquassar), oscd.community
|
||||
references:
|
||||
- Personal research, statistical analysis
|
||||
- https://lolbas-project.github.io
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.T1055
|
||||
detection:
|
||||
selection:
|
||||
EventID: 8
|
||||
SourceImage|endswith:
|
||||
- '\msbuild.exe'
|
||||
- '\powershell.exe'
|
||||
- '\word.exe'
|
||||
- '\excel.exe'
|
||||
- '\powerpnt.exe'
|
||||
- '\outlook.exe'
|
||||
- '\mspaint.exe'
|
||||
- '\winscp.exe'
|
||||
- '\w3wp.exe*'
|
||||
- '\ping.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\monitoringhost.exe'
|
||||
- '\wmic.exe'
|
||||
- '\find.exe'
|
||||
- '\findstr.exe'
|
||||
- '\smartscreen.exe'
|
||||
- '\gpupdate.exe'
|
||||
- '\iexplore.exe'
|
||||
- '\explorer.exe'
|
||||
- '\sapcimc.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\git.exe'
|
||||
- '\vssvc.exe'
|
||||
- '\vssadmin.exe'
|
||||
- '\lync.exe'
|
||||
- '\python.exe'
|
||||
- '\provtool.exe'
|
||||
- '\robocopy.exe'
|
||||
- '\userinit.exe'
|
||||
- '\runonce.exe'
|
||||
- '\winlogon.exe'
|
||||
- '\defrag.exe'
|
||||
- '\bash.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\cvtres.exe'
|
||||
- '\esentutl.exe'
|
||||
- '\wscript.exe'
|
||||
- '\expand.exe'
|
||||
- '\forfiles.exe'
|
||||
- '\hh.exe'
|
||||
- '\installutil.exe'
|
||||
- '\makecab.exe'
|
||||
- '\mshta.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\schtasks.exe'
|
||||
- '\dnx.exe'
|
||||
- '\mDNSResponder.exe'
|
||||
- '\tstheme.exe'
|
||||
filter:
|
||||
SourceImage|contains: 'Visual Studio'
|
||||
condition: selection AND NOT filter
|
||||
level: high
|
||||
falsepositives:
|
||||
- Unknown
|
||||
Reference in New Issue
Block a user