From a6b24da6dddbffff9dda4d8782d56fb3a91d4991 Mon Sep 17 00:00:00 2001 From: darkquasar Date: Mon, 28 Oct 2019 22:07:26 -0700 Subject: [PATCH 1/7] Adding rule Suspicious In-Memory Module Execution --- .../sysmon_in_memory_assembly_execution.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml diff --git a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml new file mode 100644 index 000000000..e83e22ac4 --- /dev/null +++ b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml @@ -0,0 +1,36 @@ +title: Suspicious In-Memory Module Execution +description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. +status: experimental +date: 27/10/2019 +author: Perez Diego (@darkquassar), oscd.community +references: + - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ +tags: + - attack.privilege_escalation + - attack.T1055 +logsource: + product: windows + service: sysmon +detection: + selection_01: + EventID: 10 + CallTrace: + - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)" + - "*UNKNOWN(*)|UNKNOWN(*)" + selection_02: + EventID: 10 + CallTrace: "*UNKNOWN*" + granted_access: + GrantedAccess: + - "0x1F0FFF" + - "0x1F1FFF" + - "0x143A" + - "0x1410" + - "0x1010" + - "0x1F2FFF" + - "0x1F3FFF" + - "0x1FFFFF" + condition: selection_01 OR (selection_02 AND granted_access) +level: critical +falsepositives: + - Low From 551d3d653c4f8795ecbcfd4fbc74615a98da41e6 Mon Sep 17 00:00:00 2001 From: darkquasar Date: Mon, 28 Oct 2019 22:11:55 -0700 Subject: [PATCH 2/7] Dumping Lsass.exe memory with MiniDumpWriteDump API --- .../sysmon/sysmon_minidumwritedump_lsass.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml new file mode 100644 index 000000000..8a378b542 --- /dev/null +++ b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml @@ -0,0 +1,56 @@ +title: Dumping Lsass.exe memory with MiniDumpWriteDump API +status: experimental +description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. +date: 27/10/2019 +author: Perez Diego (@darkquassar), oscd.community +references: + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 +tags: + - attack.credential_access + - attack.T1003 +logsource: + product: windows + service: sysmon +detection: + signedprocess: + EventID: 7 + ImageLoaded: + - C:\Windows\System32\dbghelp.dll + - C:\Windows\System32\dbgcore.dll + Image: + - '*msbuild.exe*' + - '*cmd.exe*' + - '*svchost.exe*' + - '*rundll32.exe*' + - '*powershell.exe*' + - '*word.exe*' + - '*excel.exe*' + - '*powerpnt.exe*' + - '*outlook.exe*' + - '*monitoringhost.exe*' + - '*wmic.exe*' + - '*msiexec.exe*' + - '*bash.exe*' + - '*wscript.exe*' + - '*cscript.exe*' + - '*mshta.exe*' + - '*regsvr32.exe*' + - '*schtasks.exe*' + - '*dnx.exe*' + - '*regsvcs.exe*' + - '*sc.exe*' + - '*scriptrunner.exe*' + unsignedprocess: + EventID: 7 + ImageLoaded: + - C:\Windows\System32\dbghelp.dll + - C:\Windows\System32\dbgcore.dll + Signed: "FALSE" + filter: + ImageLoaded: "*Visual Studio*" + condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) +falsepositives: + - Penetration tests +level: critical From 96643b544617db4b1af81d84e9bcd5a12a7c4729 Mon Sep 17 00:00:00 2001 From: darkquasar Date: Mon, 28 Oct 2019 22:12:57 -0700 Subject: [PATCH 3/7] New rule Suspicious Remote Thread Created --- .../sysmon_suspicious_remote_thread.yml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_suspicious_remote_thread.yml diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml new file mode 100644 index 000000000..f866ca721 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml @@ -0,0 +1,75 @@ +title: Suspicious Remote Thread Created +description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. +notes: + - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. +status: experimental +date: 27/10/2019 +author: Perez Diego (@darkquassar), oscd.community +references: + - Personal research, statistical analysis + - https://lolbas-project.github.io +logsource: + product: windows + service: sysmon +tags: + - attack.privilege_escalation + - attack.T1055 +detection: + selection: + EventID: 8 + SourceImage: + - '*msbuild.exe*' + - '*powershell.exe*' + - '*word.exe*' + - '*excel.exe*' + - '*powerpnt.exe*' + - '*outlook.exe*' + - '*mspaint.exe*' + - '*winscp.exe*' + - '*w3wp.exe*' + - '*ping.exe*' + - '*taskhost.exe*' + - '*monitoringhost.exe*' + - '*wmic.exe*' + - '*find.exe*' + - '*findstr.exe*' + - '*smartscreen.exe*' + - '*gpupdate.exe*' + - '*iexplore.exe*' + - '*explorer.exe*' + - '*sapcimc.exe*' + - '*msiexec.exe*' + - '*git.exe*' + - '*vssvc.exe*' + - '*vssadmin.exe*' + - '*lync.exe*' + - '*python.exe*' + - '*provtool.exe*' + - '*robocopy.exe*' + - '*userinit.exe*' + - '*runonce.exe*' + - '*winlogon.exe*' + - '*defrag.exe*' + - '*bash.exe*' + - '*spoolsv.exe*' + - '*cvtres.exe*' + - '*esentutl.exe*' + - '*wscript.exe*' + - '*expand.exe*' + - '*forfiles.exe*' + - '*hh.exe*' + - '*installutil.exe*' + - '*makecab.exe*' + - '*mshta.exe*' + - '*regsvr32.exe*' + - '*schtasks.exe*' + - '*dnx.exe*' + - '*mDNSResponder.exe*' + - '*tstheme.exe*' + filter: + SourceImage: + - "*Visual Studio*" + condition: selection AND NOT filter +level: high +falsepositives: + - Unknown From cb6eb35913362f97309bbc900598974f57c3aa82 Mon Sep 17 00:00:00 2001 From: darkquasar Date: Mon, 28 Oct 2019 22:14:14 -0700 Subject: [PATCH 4/7] adding some more suspicious PS keywords found in multiple internally analyzed malicious scripts (in the wild and as result of engagements) --- .../powershell/powershell_suspicious_keywords.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 42acef2ad..21a193193 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -2,19 +2,26 @@ title: Suspicious PowerShell Keywords status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -author: Florian Roth +author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 + - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 + - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1 tags: - attack.execution - attack.t1086 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' detection: keywords: - - System.Reflection.Assembly.Load + - "System.Reflection.Assembly.Load" + - "[Reflection.Assembly]::Load" + - "System.Reflection.AssemblyName" + - "Reflection.Emit.AssemblyBuilderAccess" + - "Runtime.InteropServices.DllImportAttribute" + - "SuspendThread" condition: keywords falsepositives: - Penetration tests From 5f027e97c208190168797bc6555c6dadd24540e0 Mon Sep 17 00:00:00 2001 From: darkquasar Date: Sun, 3 Nov 2019 20:35:58 -0800 Subject: [PATCH 5/7] fixing as as per comment on rule https://github.com/Neo23x0/sigma/pull/505#discussion_r340790327 --- rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml index 8a378b542..50331ac09 100644 --- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml +++ b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml @@ -49,7 +49,7 @@ detection: - C:\Windows\System32\dbgcore.dll Signed: "FALSE" filter: - ImageLoaded: "*Visual Studio*" + Image: "*Visual Studio*" condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) falsepositives: - Penetration tests From 1e75979a2a040df0ff7481d70556d0f1f53c81f3 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:32:06 +0300 Subject: [PATCH 6/7] Update sysmon_minidumwritedump_lsass.yml --- .../sysmon/sysmon_minidumwritedump_lsass.yml | 61 ++++++++++--------- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml index 50331ac09..6a17f0d23 100644 --- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml +++ b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml @@ -2,6 +2,7 @@ title: Dumping Lsass.exe memory with MiniDumpWriteDump API status: experimental description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 27/10/2019 +modified: 2019/11/13 author: Perez Diego (@darkquassar), oscd.community references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -16,40 +17,40 @@ logsource: detection: signedprocess: EventID: 7 - ImageLoaded: - - C:\Windows\System32\dbghelp.dll - - C:\Windows\System32\dbgcore.dll - Image: - - '*msbuild.exe*' - - '*cmd.exe*' - - '*svchost.exe*' - - '*rundll32.exe*' - - '*powershell.exe*' - - '*word.exe*' - - '*excel.exe*' - - '*powerpnt.exe*' - - '*outlook.exe*' - - '*monitoringhost.exe*' - - '*wmic.exe*' - - '*msiexec.exe*' - - '*bash.exe*' - - '*wscript.exe*' - - '*cscript.exe*' - - '*mshta.exe*' - - '*regsvr32.exe*' - - '*schtasks.exe*' - - '*dnx.exe*' - - '*regsvcs.exe*' - - '*sc.exe*' - - '*scriptrunner.exe*' + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\msbuild.exe' + - '\cmd.exe' + - '\svchost.exe' + - '\rundll32.exe' + - '\powershell.exe' + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\monitoringhost.exe' + - '\wmic.exe' + - '\msiexec.exe' + - '\bash.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\schtasks.exe' + - '\dnx.exe' + - '\regsvcs.exe' + - '\sc.exe' + - '\scriptrunner.exe' unsignedprocess: EventID: 7 - ImageLoaded: - - C:\Windows\System32\dbghelp.dll - - C:\Windows\System32\dbgcore.dll + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' Signed: "FALSE" filter: - Image: "*Visual Studio*" + Image|contains: 'Visual Studio' condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) falsepositives: - Penetration tests From 3cd1abd0a1e0cb0303a7295b8620a27d89d3b879 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:34:09 +0300 Subject: [PATCH 7/7] Update sysmon_suspicious_remote_thread.yml --- .../sysmon_suspicious_remote_thread.yml | 102 +++++++++--------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml index f866ca721..c585b2eee 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml @@ -4,6 +4,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 27/10/2019 +modified: 2019/11/13 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -17,58 +18,57 @@ tags: detection: selection: EventID: 8 - SourceImage: - - '*msbuild.exe*' - - '*powershell.exe*' - - '*word.exe*' - - '*excel.exe*' - - '*powerpnt.exe*' - - '*outlook.exe*' - - '*mspaint.exe*' - - '*winscp.exe*' - - '*w3wp.exe*' - - '*ping.exe*' - - '*taskhost.exe*' - - '*monitoringhost.exe*' - - '*wmic.exe*' - - '*find.exe*' - - '*findstr.exe*' - - '*smartscreen.exe*' - - '*gpupdate.exe*' - - '*iexplore.exe*' - - '*explorer.exe*' - - '*sapcimc.exe*' - - '*msiexec.exe*' - - '*git.exe*' - - '*vssvc.exe*' - - '*vssadmin.exe*' - - '*lync.exe*' - - '*python.exe*' - - '*provtool.exe*' - - '*robocopy.exe*' - - '*userinit.exe*' - - '*runonce.exe*' - - '*winlogon.exe*' - - '*defrag.exe*' - - '*bash.exe*' - - '*spoolsv.exe*' - - '*cvtres.exe*' - - '*esentutl.exe*' - - '*wscript.exe*' - - '*expand.exe*' - - '*forfiles.exe*' - - '*hh.exe*' - - '*installutil.exe*' - - '*makecab.exe*' - - '*mshta.exe*' - - '*regsvr32.exe*' - - '*schtasks.exe*' - - '*dnx.exe*' - - '*mDNSResponder.exe*' - - '*tstheme.exe*' + SourceImage|endswith: + - '\msbuild.exe' + - '\powershell.exe' + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\mspaint.exe' + - '\winscp.exe' + - '\w3wp.exe*' + - '\ping.exe' + - '\taskhost.exe' + - '\monitoringhost.exe' + - '\wmic.exe' + - '\find.exe' + - '\findstr.exe' + - '\smartscreen.exe' + - '\gpupdate.exe' + - '\iexplore.exe' + - '\explorer.exe' + - '\sapcimc.exe' + - '\msiexec.exe' + - '\git.exe' + - '\vssvc.exe' + - '\vssadmin.exe' + - '\lync.exe' + - '\python.exe' + - '\provtool.exe' + - '\robocopy.exe' + - '\userinit.exe' + - '\runonce.exe' + - '\winlogon.exe' + - '\defrag.exe' + - '\bash.exe' + - '\spoolsv.exe' + - '\cvtres.exe' + - '\esentutl.exe' + - '\wscript.exe' + - '\expand.exe' + - '\forfiles.exe' + - '\hh.exe' + - '\installutil.exe' + - '\makecab.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\schtasks.exe' + - '\dnx.exe' + - '\mDNSResponder.exe' + - '\tstheme.exe' filter: - SourceImage: - - "*Visual Studio*" + SourceImage|contains: 'Visual Studio' condition: selection AND NOT filter level: high falsepositives: