From 559cc6bbab1500d3c248c916230f0ea3361dbdc1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 6 Nov 2023 14:21:23 +0100 Subject: [PATCH] Merge PR #4545 from @nasbench - Fix False Positives fix: Creation of an Executable by an Executable fix: Import New Module Via PowerShell CommandLine fix: File or Folder Permissions Modifications fix: Process Terminated Via Taskkill --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../file_event_win_susp_binary_dropper.yml | 76 ++++++++++++------- ..._creation_win_powershell_import_module.yml | 10 ++- ...win_susp_file_permission_modifications.yml | 11 ++- .../proc_creation_win_taskkill_execution.yml | 9 ++- 4 files changed, 72 insertions(+), 34 deletions(-) diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index a48ca7ab03e..7c1c903545e 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2023/09/06 +modified: 2023/11/06 tags: - attack.resource_development - attack.t1587.001 @@ -19,47 +19,47 @@ detection: Image|endswith: '.exe' TargetFilename|endswith: '.exe' filter_main_generic_1: - Image: - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\system32\cleanmgr.exe' - - 'C:\Windows\explorer.exe' - - 'C:\WINDOWS\system32\dxgiadaptercache.exe' - - 'C:\WINDOWS\system32\Dism.exe' - - 'C:\Windows\System32\wuauclt.exe' + Image|endswith: + - ':\Windows\System32\msiexec.exe' + - ':\Windows\system32\cleanmgr.exe' + - ':\Windows\explorer.exe' + - ':\WINDOWS\system32\dxgiadaptercache.exe' + - ':\WINDOWS\system32\Dism.exe' + - ':\Windows\System32\wuauclt.exe' filter_main_update: # Security_UserID: S-1-5-18 # Example: # TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe - Image: 'C:\WINDOWS\system32\svchost.exe' - TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\' + Image|endswith: ':\WINDOWS\system32\svchost.exe' + TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\' filter_main_upgrade: - Image: 'C:\Windows\system32\svchost.exe' + Image|endswith: ':\Windows\system32\svchost.exe' TargetFilename|contains|all: # Example: # This example was seen during windows upgrade # TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe - ':\WUDownloadCache\' - '\WindowsUpdateBox.exe' - filter_windows_update_box: + filter_main_windows_update_box: # This FP was seen during Windows Upgrade # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv - Image|startswith: 'C:\WINDOWS\SoftwareDistribution\Download\' + Image|contains: ':\WINDOWS\SoftwareDistribution\Download\' Image|endswith: '\WindowsUpdateBox.Exe' - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' + TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' filter_main_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' + Image|contains: ':\Windows\WinSxS\' Image|endswith: '\TiWorker.exe' filter_main_programfiles: - - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - TargetFilename|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' + - Image|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + - TargetFilename|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' filter_main_defender: - Image|startswith: - - 'C:\ProgramData\Microsoft\Windows Defender\' - - 'C:\Program Files\Windows Defender\' + Image|contains: + - ':\ProgramData\Microsoft\Windows Defender\' + - ':\Program Files\Windows Defender\' filter_main_windows_apps: TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\' filter_main_teams: @@ -75,9 +75,9 @@ detection: # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe - Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' + Image|contains: ':\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' - TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + TargetFilename|contains: ':\Windows\assembly\NativeImages_' filter_main_vscode: Image|contains: '\AppData\Local\' Image|endswith: '\Microsoft VS Code\Code.exe' @@ -89,8 +89,28 @@ detection: # \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe TargetFilename|contains: '\AppData\Local\SquirrelTemp\' filter_main_windows_temp: - TargetFilename|startswith: 'C:\WINDOWS\TEMP\' - condition: selection and not 1 of filter_* + - Image|contains: ':\WINDOWS\TEMP\' + - TargetFilename|contains: ':\WINDOWS\TEMP\' + filter_optional_python: + Image|contains: '\Python27\python.exe' + TargetFilename|contains: + - '\Python27\Lib\site-packages\' + - '\Python27\Scripts\' + - '\AppData\Local\Temp\' + filter_optional_squirrel: + Image|contains: '\AppData\Local\SquirrelTemp\Update.exe' + TargetFilename|contains: '\AppData\Local' + filter_main_temp_installers: + - Image|contains: '\AppData\Local\Temp\' + - TargetFilename|contains: '\AppData\Local\Temp\' + filter_optional_chrome: + Image|endswith: '\ChromeSetup.exe' + TargetFilename|contains: '\Google' + filter_main_dot_net: + Image|contains: ':\Windows\Microsoft.NET\Framework' + Image|endswith: '\mscorsvw.exe' + TargetFilename|contains: ':\Windows\assembly' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: # Please contribute to FP to increase the level - Software installers diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 299dec08e99..29f9ce225a9 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -7,6 +7,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/09 +modified: 2023/11/06 tags: - attack.execution - detection.threat_hunting @@ -25,7 +26,14 @@ detection: CommandLine|contains: - 'Import-Module ' - 'ipmo ' - condition: all of selection_* + filter_main_vsstudio: + ParentImage|contains: + - ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_' + - ':\Windows\System32\cmd.exe' + CommandLine|contains|all: + - ':\Program Files\Microsoft Visual Studio\' + - 'Tools\Microsoft.VisualStudio.DevShell.dll' + condition: all of selection_* and not all of filter_main_* falsepositives: - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. level: low diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index d685f346460..97078430353 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -8,7 +8,7 @@ references: - https://github.com/swagkarna/Defeat-Defender-V1.2.0 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/23 -modified: 2022/11/18 +modified: 2023/11/06 tags: - attack.defense_evasion - attack.t1222.001 @@ -39,8 +39,13 @@ detection: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' filter_optional_vscode: - - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' - - ParentImage|endswith: '\Microsoft VS Code\Code.exe' + CommandLine|contains: + - '\AppData\Local\Programs\Microsoft VS Code' + - ':\Program Files\Microsoft VS Code\' + filter_optional_avira: + CommandLine|contains: + - ':\Program Files (x86)\Avira\' + - ':\Program Files\Avira\' condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Users interacting with the files on their own (unlikely unless privileged users). diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index ef94d449692..6a1d451ff79 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process author: frack113 date: 2021/12/26 -modified: 2023/08/28 +modified: 2023/11/06 tags: - attack.impact - attack.t1489 @@ -24,7 +24,12 @@ detection: CommandLine|contains|all: - ' /f' - ' /im ' - condition: all of selection_* + filter_main_installers: + ParentImage|contains: + - '\AppData\Local\Temp\' + - ':\Windows\Temp' + ParentImage|endswith: '.tmp' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates level: low