From 5c792b86d72cb3e05b29fbe02d830031a4a8fbb3 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 23 Mar 2023 18:14:06 -0300 Subject: [PATCH] [RTA] Adds RTAs for endpoint rules (#2621) * [RTA] Adds RTAs for endpoint rules * Update exec_cscript_archive_args.py * Review RTAs 1/2 * Update suspicious_msiexec_child.py * Update rta/exec_cscript_archive_args.py Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- rta/exec_cscript_archive_args.py | 41 +++++++++++++++++++++ rta/exec_dnguard_program.py | 43 ++++++++++++++++++++++ rta/exec_java_via_scripting.py | 49 ++++++++++++++++++++++++++ rta/exec_msiexec_dllregisterserver.py | 31 ++++++++++++++++ rta/exec_shortcut_embedded_obj.py | 44 +++++++++++++++++++++++ rta/exec_vs_prebuildevent.py | 40 +++++++++++++++++++++ rta/exec_vsls_agent.py | 35 ++++++++++++++++++ rta/file_ms_template_macros.py | 32 +++++++++++++++++ rta/file_script_startup_folder.py | 42 ++++++++++++++++++++++ rta/file_susp_browser_extension.py | 36 +++++++++++++++++++ rta/image_load_taskhost.py | 47 ++++++++++++++++++++++++ rta/image_load_vaultcli.py | 45 +++++++++++++++++++++++ rta/msoffice_addins_file.py | 34 ++++++++++++++++++ rta/reg_mod_ifeo.py | 36 +++++++++++++++++++ rta/reg_mod_unusual_startup_folder.py | 35 ++++++++++++++++++ rta/suspicious_msiexec_child.py | 40 +++++++++++++++++++++ rta/uac_windir_masq.py | 33 +++++++++++++++++ rta/unusual_parent_chrome_extension.py | 35 ++++++++++++++++++ 18 files changed, 698 insertions(+) create mode 100644 rta/exec_cscript_archive_args.py create mode 100644 rta/exec_dnguard_program.py create mode 100644 rta/exec_java_via_scripting.py create mode 100644 rta/exec_msiexec_dllregisterserver.py create mode 100644 rta/exec_shortcut_embedded_obj.py create mode 100644 rta/exec_vs_prebuildevent.py create mode 100644 rta/exec_vsls_agent.py create mode 100644 rta/file_ms_template_macros.py create mode 100644 rta/file_script_startup_folder.py create mode 100644 rta/file_susp_browser_extension.py create mode 100644 rta/image_load_taskhost.py create mode 100644 rta/image_load_vaultcli.py create mode 100644 rta/msoffice_addins_file.py create mode 100644 rta/reg_mod_ifeo.py create mode 100644 rta/reg_mod_unusual_startup_folder.py create mode 100644 rta/suspicious_msiexec_child.py create mode 100644 rta/uac_windir_masq.py create mode 100644 rta/unusual_parent_chrome_extension.py diff --git a/rta/exec_cscript_archive_args.py b/rta/exec_cscript_archive_args.py new file mode 100644 index 000000000..3c0e65783 --- /dev/null +++ b/rta/exec_cscript_archive_args.py @@ -0,0 +1,41 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="4aa158f6-39ed-456f-9d8a-849052cce2f5", + platforms=["windows"], + endpoint=[ + {'rule_id': '816e1e39-e1a3-4935-9b7b-18395d244670', 'rule_name': 'Windows Script Execution from Archive File'}, + {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'}, + {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'}, + {'rule_id': '23e29d07-7584-465e-8a6d-912d9ea254a6', 'rule_name': 'Suspicious Image Load via Windows Scripts'} + ], + siem=[], + techniques=['T1059', 'T1059.007', 'T1566', 'T1566.001'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") +RENAMER = common.get_path("bin", "rcedit-x64.exe") + + +@common.requires_os(metadata.platforms) +def main(): + cscript = "C:\\Users\\Public\\cscript.exe" + rcedit = "C:\\Users\\Public\\rcedit.exe" + common.copy_file(EXE_FILE, cscript) + common.copy_file(RENAMER, rcedit) + + common.log("Modifying the OriginalFileName attribute") + common.execute([rcedit, cscript, "--set-version-string", "OriginalFilename", "cscript.exe"]) + + common.execute([cscript, "/c", "echo", "C:\\Users\\A\\Temp\\7zip"], timeout=5, kill=True) + common.remove_files(cscript) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_dnguard_program.py b/rta/exec_dnguard_program.py new file mode 100644 index 000000000..1dde467e4 --- /dev/null +++ b/rta/exec_dnguard_program.py @@ -0,0 +1,43 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="db2e6589-d2df-4d9d-9d88-d91af5fd57e9", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'e691d379-6d01-43cc-9f1e-ab10df48a6bc', + 'rule_name': 'Execution of a DNGUard Protected Program' + }], + siem=[], + techniques=['T1027', 'T1027.002'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") +PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") + + +@common.requires_os(metadata.platforms) +def main(): + posh = "C:\\Users\\Public\\posh.exe" + user32 = "C:\\Windows\\System32\\user32.dll" + dll = "C:\\Users\\Public\\HVMRuntm.dll" + ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1" + common.copy_file(EXE_FILE, posh) + common.copy_file(user32, dll) + common.copy_file(PS1_FILE, ps1) + + # Execute command + + common.log("Loading DNGUard DLL") + common.execute([posh, "-c", f"Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10) + + common.remove_files(posh, dll, ps1) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_java_via_scripting.py b/rta/exec_java_via_scripting.py new file mode 100644 index 000000000..a53899926 --- /dev/null +++ b/rta/exec_java_via_scripting.py @@ -0,0 +1,49 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import os + +metadata = RtaMetadata( + uuid="a3b26c9e-6910-43f7-93b2-84cc777e54f4", + platforms=["windows"], + endpoint=[ + { + 'rule_id': '15b1d979-5be0-4e7f-9202-0c4cfd76b146', + 'rule_name': 'Suspicious Java Execution via a Windows Script' + }, + {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'}, + {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'}, + {'rule_id': '23e29d07-7584-465e-8a6d-912d9ea254a6', 'rule_name': 'Suspicious Image Load via Windows Scripts'} + ], + siem=[], + techniques=['T1059', 'T1059.005', 'T1059.007'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(common.WINDOWS) +def main(): + path = "C:\\Program Files\\Java\\jrertaendgametest\\bin\\" + argpath = "C:\\\"Program Files\"\\Java\\jrertaendgametest\\bin\\Javafake.exe" + cscript = "C:\\Users\\Public\\cscript.exe" + executable = path + "Javafake.exe" + + if not os.path.exists(path): + os.makedirs(path) + else: + pass + common.copy_file(EXE_FILE, cscript) + common.copy_file(EXE_FILE, executable) + + # Execute command + common.execute([cscript, "/c", argpath, ("iwr google.com -UseBasicParsing -UserAgent " + "'C:\\Users\\Public\\' -SessionVariable '-jar'")], timeout=10) + common.remove_files(cscript, executable) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_msiexec_dllregisterserver.py b/rta/exec_msiexec_dllregisterserver.py new file mode 100644 index 000000000..7f84d5b18 --- /dev/null +++ b/rta/exec_msiexec_dllregisterserver.py @@ -0,0 +1,31 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="a37316f1-2828-45d2-85ea-1783bb9b9982", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'ed77616c-8f97-472b-bb15-532af004e82a', + 'rule_name': 'Suspicious DLLRegisterServer Execution via MSIEXEC' + }], + siem=[], + techniques=['T1218', 'T1218.007'], +) + + +@common.requires_os(metadata.platforms) +def main(): + msiexec = "C:\\Windows\\System32\\msiexec.exe" + + common.execute([msiexec, "/z"], timeout=5, kill=True) + common.remove_files(msiexec) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_shortcut_embedded_obj.py b/rta/exec_shortcut_embedded_obj.py new file mode 100644 index 000000000..c22618f78 --- /dev/null +++ b/rta/exec_shortcut_embedded_obj.py @@ -0,0 +1,44 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="32faebaa-b581-464c-bca9-6936fe0948dc", + platforms=["windows"], + endpoint=[ + { + 'rule_id': '8076640d-ec66-4d24-a252-ee2f054e00a1', + 'rule_name': 'Windows Shortcut File Embedded Object Execution' + }, + { + 'rule_id': '9fdd772b-b483-404f-bc02-7ec87e332bec', + 'rule_name': 'Embedded Executable via Windows Shortcut File' + } + ], + siem=[], + techniques=['T1059', 'T1059.003', 'T1204', 'T1204.001', 'T1204.002', 'T1566', 'T1566.001', 'T1566.002'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(common.WINDOWS) +def main(): + cmd = "C:\\Users\\Public\\cmd.exe" + rta = "C:\\Users\\Public\\rta.exe" + tempfile = "C:\\Users\\Public\\a.txt" + common.copy_file(EXE_FILE, cmd) + common.copy_file(EXE_FILE, rta) + + # Execute command + common.execute([cmd, "/c", f"Copy-Item {EXE_FILE} '{tempfile}'; echo 'finda.a.lnk >1&'; {rta}"], + kill=True, timeout=10) + common.remove_files(cmd, rta, tempfile) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_vs_prebuildevent.py b/rta/exec_vs_prebuildevent.py new file mode 100644 index 000000000..04b951b74 --- /dev/null +++ b/rta/exec_vs_prebuildevent.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="c4445d28-fe0f-4822-b0b0-92e188a9ca0e", + platforms=["windows"], + endpoint=[ + { + 'rule_id': '74be6307-2d15-4c71-8072-fc606f337a51', + 'rule_name': 'Execution via MS VisualStudio Pre/Post Build Events' + }, + {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'}, + {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'} + ], + siem=[], + techniques=['T1127', 'T1127.001'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + msbuild = "C:\\Users\\Public\\msbuild.exe" + cmd = "C:\\Users\\Public\\cmd.exe" + common.copy_file(EXE_FILE, cmd) + common.copy_file(EXE_FILE, msbuild) + + common.execute([msbuild, "/c", cmd, "/c", cmd, "echo C:\\Users\\A\\AppData\\Local\\Temp\\tmpa.exec.cmd"], + timeout=10, kill=True) + common.remove_files(cmd, msbuild) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/exec_vsls_agent.py b/rta/exec_vsls_agent.py new file mode 100644 index 000000000..79fa3d2af --- /dev/null +++ b/rta/exec_vsls_agent.py @@ -0,0 +1,35 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="ad0986cb-b5ef-41ad-9b40-8d708dc28844", + platforms=["windows"], + endpoint=[ + { + 'rule_id': 'a5416b1f-fc3f-4162-936d-34086689c3b0', + 'rule_name': 'DLL Execution via Visual Studio Live Share' + } + ], + siem=[], + techniques=['T1218'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + vslsagent = "C:\\Users\\Public\\vsls-agent.exe" + common.copy_file(EXE_FILE, vslsagent) + + common.execute([vslsagent, "/c", "echo", "--agentExtensionPath"], timeout=5, kill=True) + common.remove_files(vslsagent) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/file_ms_template_macros.py b/rta/file_ms_template_macros.py new file mode 100644 index 000000000..6362b7c9f --- /dev/null +++ b/rta/file_ms_template_macros.py @@ -0,0 +1,32 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import os + +metadata = RtaMetadata( + uuid="858475a2-78a6-40f8-8691-7ce0c631cc0c", + platforms=["windows"], + endpoint=[{ + 'rule_id': '608eae71-6797-4ded-bfaa-41bcb17a8498', + 'rule_name': 'Office Application Startup via Template File Modification' + }], + siem=[], + techniques=['T1137', 'T1137.001'], +) + + +@common.requires_os(metadata.platforms) +def main(): + path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Templates\\" + os.makedirs(path, exist_ok=True) + file = path + "\\Normal.dotm" + + common.temporary_file_helper("testing", file_name=file) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/file_script_startup_folder.py b/rta/file_script_startup_folder.py new file mode 100644 index 000000000..3ed6cc4e3 --- /dev/null +++ b/rta/file_script_startup_folder.py @@ -0,0 +1,42 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import os + +metadata = RtaMetadata( + uuid="b8dcb997-e099-472e-8f2f-15a80c8dfe1a", + platforms=["windows"], + endpoint=[ + { + 'rule_id': 'dec8781c-ef73-4037-9684-ef28c0322fa4', + 'rule_name': 'Script File Written to Startup Folder' + }, + { + "rule_name": "Unusual File Written or Modified in Startup Folder", + "rule_id": "30a90136-7831-41c3-a2aa-1a303c1186ac", + } + ], + siem=[], + techniques=['T1547', 'T1547.001'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + proc = "C:\\Users\\Public\\proc.exe" + path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\" + file = path + "\\a.js" + common.copy_file(EXE_FILE, proc) + os.makedirs(path, exist_ok=True) + + common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10) + common.remove_files(proc, file) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/file_susp_browser_extension.py b/rta/file_susp_browser_extension.py new file mode 100644 index 000000000..4eefa1d49 --- /dev/null +++ b/rta/file_susp_browser_extension.py @@ -0,0 +1,36 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import os + +metadata = RtaMetadata( + uuid="edb804d6-85df-4dca-a521-1b6dfee9f354", + platforms=["windows"], + endpoint=[{ + 'rule_id': '7df7fca3-8a91-4a54-9799-0478a90ae326', + 'rule_name': 'Suspicious Browser Files Modification' + }], + siem=[], + techniques=['T1176', 'T1112'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + proc = "C:\\Users\\Public\\proc.exe" + path = "C:\\Users\\Public\\AppData\\Roaming\\Mozilla\\Test\\Profiles\\AdefaultA" + file = path + "\\extensions.json" + common.copy_file(EXE_FILE, proc) + os.makedirs(path, exist_ok=True) + + common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10) + common.remove_files(proc, file) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/image_load_taskhost.py b/rta/image_load_taskhost.py new file mode 100644 index 000000000..c35fdd3c4 --- /dev/null +++ b/rta/image_load_taskhost.py @@ -0,0 +1,47 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="9cca3284-848f-483a-9241-48562eee0605", + platforms=["windows"], + endpoint=[{ + 'rule_id': '4b4ba027-151f-40e4-99ba-a386735c27e4', + 'rule_name': 'Unsigned DLL Loaded by Windows Tasks Host' + }], + siem=[], + techniques=['T1053', 'T1053.005'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") +PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") +RENAMER = common.get_path("bin", "rcedit-x64.exe") + + +@common.requires_os(metadata.platforms) +def main(): + taskhost1 = "C:\\Users\\Public\\taskhost1.exe" + user32 = "C:\\Windows\\System32\\user32.dll" + dll = "C:\\Users\\Public\\unsigned.dll" + ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1" + rcedit = "C:\\Users\\Public\\rcedit.exe" + common.copy_file(user32, dll) + common.copy_file(EXE_FILE, taskhost1) + common.copy_file(PS1_FILE, ps1) + common.copy_file(RENAMER, rcedit) + + common.log("Modifying the OriginalFileName attribute") + common.execute([rcedit, dll, "--set-version-string", "OriginalFilename", "unsigned.dll"]) + + common.log("Loading unsigned DLL into fake taskhost") + common.execute([taskhost1, "-c", f"Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10) + + common.remove_files(dll, ps1, rcedit) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/image_load_vaultcli.py b/rta/image_load_vaultcli.py new file mode 100644 index 000000000..4ccf98388 --- /dev/null +++ b/rta/image_load_vaultcli.py @@ -0,0 +1,45 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="2145af1a-0781-47ab-8d73-2d50e93b5ff7", + platforms=["windows"], + endpoint=[ + {'rule_id': '048737fe-80d6-4462-aa80-ffeed853103e', 'rule_name': 'Suspicious Vault Client Image Load'}, + {'rule_id': '65784f6e-247a-466b-bbfb-cd92024f7e82', 'rule_name': 'Suspicious PowerShell Execution'} + ], + siem=[], + techniques=['T1555', 'T1555.004', 'T1059', 'T1059.001'], +) +PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") +RENAMER = common.get_path("bin", "rcedit-x64.exe") + + +@common.requires_os(metadata.platforms) +def main(): + powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + user32 = "C:\\Windows\\System32\\user32.dll" + dll = "C:\\Users\\Public\\vaultcli.dll" + ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1" + rcedit = "C:\\Users\\Public\\rcedit.exe" + common.copy_file(user32, dll) + common.copy_file(PS1_FILE, ps1) + common.copy_file(RENAMER, rcedit) + + common.log("Modifying the OriginalFileName attribute") + common.execute([rcedit, dll, "--set-version-string", "OriginalFilename", "vaultcli.dll"]) + + common.log("Loading vaultcli.dll") + common.execute([powershell, "-c", f"echo downloadstring; Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10) + + common.remove_files(dll, ps1, rcedit) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/msoffice_addins_file.py b/rta/msoffice_addins_file.py new file mode 100644 index 000000000..99a0239f6 --- /dev/null +++ b/rta/msoffice_addins_file.py @@ -0,0 +1,34 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import os + +metadata = RtaMetadata( + uuid="97979b30-908d-4c57-a33a-f3b78e55a84a", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'aaa80718-1ed9-43bd-bcf7-97f2a6c93ea8', + 'rule_name': 'Persistence via Microsoft Office AddIns' + }], + siem=[], + techniques=['T1137'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Word\\Startup" + os.makedirs(path, exist_ok=True) + file = path + "\\file.exe" + + common.copy_file(EXE_FILE, file) + common.remove_file(file) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/reg_mod_ifeo.py b/rta/reg_mod_ifeo.py new file mode 100644 index 000000000..0c727830a --- /dev/null +++ b/rta/reg_mod_ifeo.py @@ -0,0 +1,36 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="2bb1016f-b3e9-455d-b665-02a0aafc797a", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'ff5fd85a-e770-4e57-8bae-0d267442eb9f', + 'rule_name': 'Suspicious Image File Execution Options Modification' + }], + siem=[], + techniques=['T1546', 'T1546.012'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + common.log("Temp Registry mod: IFEO") + + key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rta.exe\\" + value = "Debugger" + data = "Test" + + with common.temporary_reg(common.HKLM, key, value, data): + pass + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/reg_mod_unusual_startup_folder.py b/rta/reg_mod_unusual_startup_folder.py new file mode 100644 index 000000000..26accbb46 --- /dev/null +++ b/rta/reg_mod_unusual_startup_folder.py @@ -0,0 +1,35 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="4ac771ca-5095-4a1b-ac6a-e2b714be8ccc", + platforms=["windows"], + endpoint=[{ + 'rule_id': '377aad38-24e0-4dd7-93c2-bd231cb749e3', + 'rule_name': 'Unusual Startup Shell Folder Modification' + }], + siem=[], + techniques=['T1547', 'T1547.001', 'T1112'], +) + + +@common.requires_os(metadata.platforms) +def main(): + common.log("Temp Registry mod: Common Startup Folder") + + key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" + value = "Common Startup" + data = "Test" + + with common.temporary_reg(common.HKLM, key, value, data): + pass + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/suspicious_msiexec_child.py b/rta/suspicious_msiexec_child.py new file mode 100644 index 000000000..88ebc5979 --- /dev/null +++ b/rta/suspicious_msiexec_child.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="2cefb7c2-5ffc-4410-a63c-bded93b258c3", + platforms=["windows"], + endpoint=[ + { + 'rule_id': '877c6bd9-8df1-4a15-aa97-2a091731b15d', + 'rule_name': 'Suspicious MsiExec Child Process' + }, + {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'}, + {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'}, + {'rule_id': '5db08297-bf72-49f4-b426-f405c2b01326', 'rule_name': 'Regsvr32 with Unusual Arguments'} + ], + siem=[], + techniques=['T1218', 'T1218.007'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + msiexec = "C:\\Users\\Public\\msiexec.exe" + regsvr32 = "C:\\Users\\Public\\regsvr32.exe" + common.copy_file(EXE_FILE, msiexec) + common.copy_file(EXE_FILE, regsvr32) + + common.execute([msiexec, "/c", regsvr32, "echo", "scrobj.dll"], timeout=5, kill=True) + common.remove_files(msiexec) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/uac_windir_masq.py b/rta/uac_windir_masq.py new file mode 100644 index 000000000..85925a21e --- /dev/null +++ b/rta/uac_windir_masq.py @@ -0,0 +1,33 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="3b8454af-db6b-4d4c-92c6-89ca7b6640f1", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'adaf95d2-28ce-4880-af16-f3041b624440', + 'rule_name': 'UAC Bypass Attempt via Windows Directory Masquerading' + }], + siem=[], + techniques=['T1548', 'T1548.002'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + proc = "C:\\Users\\Public\\proc.exe" + common.copy_file(EXE_FILE, proc) + + common.execute([proc, "/c", "echo", "C:\\Windows \\System32\\a.exe"], timeout=5, kill=True) + common.remove_files(proc) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/unusual_parent_chrome_extension.py b/rta/unusual_parent_chrome_extension.py new file mode 100644 index 000000000..a011dd6ab --- /dev/null +++ b/rta/unusual_parent_chrome_extension.py @@ -0,0 +1,35 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="9e31b8ae-c0a6-46c9-9634-d1aebceea541", + platforms=["windows"], + endpoint=[{ + 'rule_id': 'd7fda3d7-fe77-49c2-8b50-d28a6da206c4', + 'rule_name': 'Chromium Extension Loaded from Unusual Parent' + }], + siem=[], + techniques=['T1176'], +) +EXE_FILE = common.get_path("bin", "renamed_posh.exe") + + +@common.requires_os(metadata.platforms) +def main(): + proc = "C:\\Users\\Public\\proc.exe" + childproc = "C:\\Users\\Public\\childproc.exe" + common.copy_file(EXE_FILE, proc) + common.copy_file(EXE_FILE, childproc) + + common.execute([proc, "/c", "echo", f"--load-extension; & {childproc}"], timeout=5, kill=True) + common.remove_files(childproc, proc) + + +if __name__ == "__main__": + exit(main())