From d7a0f0e5238314f670fb17370c74d82db3285923 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 9 Nov 2023 11:20:16 +0100 Subject: [PATCH 01/28] Merge PR #4558 from @nasbench - Update greetings workflow chore: update greetings workflow --- .github/workflows/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index 227e35741bf..92c9e151030 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -1,6 +1,6 @@ name: Auto message for PR's and Issues -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: build: From 6193ab71bdb9f3dbc4c29f1856badddfaa9e6043 Mon Sep 17 00:00:00 2001 From: Michael Peacock Date: Thu, 9 Nov 2023 05:20:55 -0500 Subject: [PATCH 02/28] Merge PR #4556 from @michaelpeacock - Update README.md chore: update README with link to the Confluent Sigma repo. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3b95b704478..1340019750e 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Projects or Products that use or integrate Sigma rules * [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018) -* [Confluent Sigma](https://github.com/confluentinc/cyber/tree/master/confluent-sigma) +* [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules * [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation) * [Joe Sandbox](https://www.joesecurity.org/blog/8225577975210857708) * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (Since Version 2.4.70, March 2017) From c0e11f3c3e01f81ee962c5b130d20f3f6b22cbed Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Thu, 9 Nov 2023 21:37:48 +0900 Subject: [PATCH 03/28] Merge PR #4559 from @fukusuket - Fix unescaped wildcard character fix: Execute Code with Pester.bat - Fix a non escaped wildcard ? --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_lolbin_pester_1.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml index 6e5e72fd454..903a3db4c19 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -4,9 +4,10 @@ status: test description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) references: - https://twitter.com/Oddvarmoe/status/993383596244258816 + - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md author: Julia Fomina, oscd.community date: 2020/10/08 -modified: 2022/07/14 +modified: 2023/11/09 tags: - attack.execution - attack.t1059.001 @@ -31,7 +32,7 @@ detection: get_help: CommandLine|contains: - 'help' - - '?' + - '\?' condition: powershell_module or (cmd_execution and get_help) falsepositives: - Legitimate use of Pester for writing tests for Powershell scripts and modules From c13b568bd3171cc1054d94266963a436a5d6bd1c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 12:00:08 +0100 Subject: [PATCH 04/28] Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation new: Lace Tempest File Indicators new: Lace Tempest PowerShell Evidence Eraser new: Lace Tempest PowerShell Launcher new: Lace Tempest Cobalt Strike Download new: Lace Tempest Malware Loader Execution update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones update: Suspicious Process By Web Server Process - Enhance process coverage by adding new processes and removing unrelated ones --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../2023/TA/Lace-Tempest/README.md | 17 +++++ ..._event_win_apt_lace_tempest_indicators.yml | 25 +++++++ ...posh_ps_apt_lace_tempest_eraser_script.yml | 30 +++++++++ ...h_ps_apt_lace_tempest_malware_launcher.yml | 29 ++++++++ ...pt_lace_tempest_cobalt_strike_download.yml | 23 +++++++ ..._win_apt_lace_tempest_loader_execution.yml | 23 +++++++ ...c_creation_win_java_susp_child_process.yml | 43 ++++++------ ...creation_win_java_susp_child_process_2.yml | 11 +-- .../proc_creation_win_webshell_chopper.yml | 2 +- .../proc_creation_win_webshell_hacking.yml | 25 +++---- ...webshell_recon_commands_and_processes.yml} | 52 +++++++------- ...l_susp_process_spawned_from_webserver.yml} | 67 +++++++------------ ...proc_creation_win_webshell_tool_recon.yml} | 29 ++++---- 13 files changed, 257 insertions(+), 119 deletions(-) create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/README.md create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml create mode 100644 rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml rename rules/windows/process_creation/{proc_creation_win_webshell_detection.yml => proc_creation_win_webshell_recon_commands_and_processes.yml} (82%) rename rules/windows/process_creation/{proc_creation_win_webshell_spawn.yml => proc_creation_win_webshell_susp_process_spawned_from_webserver.yml} (74%) rename rules/windows/process_creation/{proc_creation_win_webshell_recon_detection.yml => proc_creation_win_webshell_tool_recon.yml} (73%) diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/README.md b/rules-emerging-threats/2023/TA/Lace-Tempest/README.md new file mode 100644 index 00000000000..345a18f7745 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/README.md @@ -0,0 +1,17 @@ +# Lace Tempest SysAid CVE-2023-47246 Exploitation + +## Summary + +A zero-day vulnerability in the SysAid on-premises software was exploited by DEV-0950 (Lace Tempest). Where the threat actor uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan + +You can find more information on the threat in the following articles: + +- [SysAid On-Prem Software CVE-2023-47246 Vulnerability](https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification) + +## Rules + +- [Lace Tempest File Indicators](./file_event_win_apt_lace_tempest_indicators.yml) +- [Lace Tempest PowerShell Evidence Eraser](./posh_ps_apt_lace_tempest_eraser_script.yml) +- [Lace Tempest PowerShell Launcher](./posh_ps_apt_lace_tempest_malware_launcher.yml) +- [Lace Tempest Cobalt Strike Download](./proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml) +- [Lace Tempest Malware Loader Execution](./proc_creation_win_apt_lace_tempest_loader_execution.yml) diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml new file mode 100644 index 00000000000..3d2ac26c8d2 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -0,0 +1,25 @@ +title: Lace Tempest File Indicators +id: e94486ea-2650-4548-bf25-88cbd0bb32d7 +status: experimental +description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|endswith: + - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe' + - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war' + - ':\Program Files\SysAidServer\tomcat\webapps\leave' + - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml new file mode 100644 index 00000000000..7a8a8ddfdc6 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -0,0 +1,30 @@ +title: Lace Tempest PowerShell Evidence Eraser +id: b377ddab-502d-4519-9e8c-5590033d2d70 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains|all: + - 'cleanLL' + - 'usersfiles.war' + - 'Remove-Item -Path "$tomcat_dir' + - 'SysAidServer' + - 'sleep ' + - 'while(1)' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml new file mode 100644 index 00000000000..a8cb343ff01 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -0,0 +1,29 @@ +title: Lace Tempest PowerShell Launcher +id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains|all: + - '\SysAidServer\tomcat\webapps' + - 'Starting user.exe' + - '\usersfiles\user.exe' + - 'Remove-Item -Force "$wapps' + - '(Sophos).' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml new file mode 100644 index 00000000000..c6e118e5ef8 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -0,0 +1,23 @@ +title: Lace Tempest Cobalt Strike Download +id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d +status: experimental +description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring( + - /a') + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml new file mode 100644 index 00000000000..911078ce8fb --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -0,0 +1,23 @@ +title: Lace Tempest Malware Loader Execution +id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d +status: experimental +description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe' + selection_hash: + Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9d556c12dc5..299f7a56a84 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,10 +1,13 @@ -title: Suspicious Shells Spawned by Java +title: Suspicious Processes Spawned by Java.EXE id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d +related: + - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 + type: similar status: experimental -description: Detects suspicious shell spawned from Java host process (e.g. log4j exploitation) +description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 -modified: 2023/01/21 +modified: 2023/11/09 tags: - attack.initial_access - attack.persistence @@ -16,32 +19,30 @@ detection: selection: ParentImage|endswith: '\java.exe' Image|endswith: - - '\sh.exe' + - '\AppVLP.exe' - '\bash.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\schtasks.exe' - - '\certutil.exe' - - '\whoami.exe' - '\bitsadmin.exe' - - '\wscript.exe' + - '\certutil.exe' - '\cscript.exe' - - '\scrcons.exe' - - '\regsvr32.exe' - - '\hh.exe' - - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '\mshta.exe' - - '\rundll32.exe' + - '\curl.exe' - '\forfiles.exe' - - '\scriptrunner.exe' + - '\hh.exe' - '\mftrace.exe' - - '\AppVLP.exe' - - '\curl.exe' - - '\systeminfo.exe' + - '\mshta.exe' - '\net.exe' - '\net1.exe' - - '\reg.exe' - '\query.exe' + - '\reg.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\schtasks.exe' + - '\scrcons.exe' + - '\scriptrunner.exe' + - '\sh.exe' + - '\systeminfo.exe' + - '\whoami.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\wscript.exe' condition: selection falsepositives: - Legitimate calls to system binaries diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 853b2611f3e..0255a32e2f2 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -1,10 +1,13 @@ -title: Shells Spawned by Java +title: Shell Process Spawned by Java.EXE id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 +related: + - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d + type: similar status: test description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 -modified: 2022/07/27 +modified: 2023/11/09 tags: - attack.initial_access - attack.persistence @@ -19,10 +22,10 @@ detection: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' - filter: + filter_main_build: ParentImage|contains: 'build' # excluding CI build agents CommandLine|contains: 'build' # excluding CI build agents - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate calls to system binaries - Company specific internal usage diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml index b2644fc9bf0..3a87945a630 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -29,7 +29,7 @@ detection: - '&dir&echo' - '&echo [E]' - '&echo [S]' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index e192f9f81e4..2b3dbc800d9 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -1,12 +1,13 @@ title: Webshell Hacking Activity Patterns id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9 status: test -description: Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system +description: | + Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) date: 2022/03/17 -modified: 2022/08/04 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -20,11 +21,11 @@ detection: # Webserver selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\w3wp.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: @@ -80,20 +81,20 @@ detection: selection_child_6: # SUspicious patterns CommandLine|contains: + - ' -decode ' # Used with certutil - ' -NoP ' # Often used in malicious PowerShell commands - ' -W Hidden ' # Often used in malicious PowerShell commands - - ' -decode ' # Used with certutil - ' /decode ' # Used with certutil - - 'reg save ' # save registry SAM - syskey extraction - - '.downloadstring(' # PowerShell download command - - '.downloadfile(' # PowerShell download command - - 'FromBase64String' # PowerShell encoded payload - ' /ticket:' # Rubeus - ' sekurlsa' # Mimikatz - '.dmp full' # Process dumping method apart from procdump + - '.downloadfile(' # PowerShell download command + - '.downloadstring(' # PowerShell download command + - 'FromBase64String' # PowerShell encoded payload - 'process call create' # WMIC process creation + - 'reg save ' # save registry SAM - syskey extraction - 'whoami /priv' - condition: 1 of selection_webserver* and 1 of selection_child* + condition: 1 of selection_webserver_* and 1 of selection_child_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_webshell_detection.yml rename to rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 34edc76511b..67e6d15358c 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -40,7 +40,7 @@ detection: CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' - susp_net_utility: + selection_susp_net_utility: OriginalFileName: - 'net.exe' - 'net1.exe' @@ -48,49 +48,55 @@ detection: - ' user ' - ' use ' - ' group ' - susp_ping_utility: + selection_susp_ping_utility: OriginalFileName: 'ping.exe' CommandLine|contains: ' -n ' - susp_change_dir: + selection_susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm - susp_wmic_utility: + selection_susp_wmic_utility: OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' - susp_misc_discovery_binaries: + selection_susp_misc_discovery_binaries: - Image|endswith: - - '\whoami.exe' - - '\systeminfo.exe' - - '\quser.exe' + - '\dsquery.exe' + - '\find.exe' + - '\findstr.exe' - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - '\netstat.exe' + - '\nslookup.exe' + - '\pathping.exe' + - '\quser.exe' - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' + - '\systeminfo.exe' - '\tasklist.exe' + - '\tracert.exe' + - '\ver.exe' + - '\wevtutil.exe' + - '\whoami.exe' - OriginalFileName: - - 'whoami.exe' - - 'sysinfo.exe' - - 'quser.exe' + - 'dsquery.exe' + - 'find.exe' + - 'findstr.exe' - 'ipconfig.exe' - - 'pathping.exe' - - 'tracert.exe' - 'netstat.exe' + - 'nslookup.exe' + - 'pathping.exe' + - 'quser.exe' - 'schtasks.exe' + - 'sysinfo.exe' + - 'tasklist.exe' + - 'tracert.exe' + - 'ver.exe' - 'VSSADMIN.EXE' - 'wevtutil.exe' - - 'tasklist.exe' - susp_misc_discovery_commands: + - 'whoami.exe' + selection_susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe - condition: 1 of selection* and 1 of susp* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and 1 of selection_susp_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml similarity index 74% rename from rules/windows/process_creation/proc_creation_win_webshell_spawn.yml rename to rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index e7da4c834b2..d772f5324f8 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -1,12 +1,13 @@ -title: Shells Spawned by Web Servers +title: Suspicious Process By Web Server Process id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: test -description: Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack +description: | + Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 -modified: 2022/09/19 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -17,15 +18,15 @@ logsource: detection: selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' - - '\ws_TomcatService.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\php.exe' - '\tomcat.exe' - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html + - '\w3wp.exe' + - '\ws_TomcatService.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: - '\java.exe' @@ -38,67 +39,49 @@ detection: - '\java.exe' - '\javaw.exe' ParentCommandLine|contains: - - 'catalina.jar' - 'CATALINA_HOME' - 'catalina.home' - anomaly_children: + - 'catalina.jar' + selection_anomaly_children: Image|endswith: - - '\cmd.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\powershell.exe' - - '\powershell_ise.exe' - - '\pwsh.exe' - - '\bitsadmin.exe' - '\arp.exe' - '\at.exe' + - '\bash.exe' + - '\bitsadmin.exe' - '\certutil.exe' + - '\cmd.exe' + - '\cscript.exe' - '\dsget.exe' - - '\dsquery.exe' - - '\find.exe' - - '\findstr.exe' - - '\fsutil.exe' - '\hostname.exe' - - '\ipconfig.exe' - '\nbtstat.exe' - '\net.exe' - '\net1.exe' - '\netdom.exe' - '\netsh.exe' - - '\netstat.exe' - '\nltest.exe' - - '\nslookup.exe' - '\ntdutil.exe' - - '\pathping.exe' - - '\ping.exe' + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' - '\qprocess.exe' - '\query.exe' - '\qwinsta.exe' - '\reg.exe' - '\rundll32.exe' - '\sc.exe' - - '\schtasks.exe' - - '\systeminfo.exe' - - '\tasklist.exe' - - '\tracert.exe' - - '\ver.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\whoami.exe' + - '\sh.exe' - '\wmic.exe' - '\wscript.exe' - '\wusa.exe' - false_positive1: + filter_main_fp_1: + ParentImage|endswith: '\java.exe' CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' - false_positive2: + filter_main_fp_2: + ParentImage|endswith: '\java.exe' CommandLine|contains|all: - 'sc query' - 'ADManager Plus' - condition: 1 of selection* and anomaly_children and not 1 of false_positive* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_** falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml rename to rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml index 2367b9c7984..1358e328b79 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -1,12 +1,13 @@ -title: Webshell Recon Detection Via CommandLine & Processes +title: Webshell Tool Reconnaissance Activity id: f64e5c19-879c-4bae-b471-6d84c8339677 status: test -description: Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands +description: | + Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html -author: Cian Heasley, Florian Roth +author: Cian Heasley, Florian Roth (Nextron Systems) date: 2020/07/22 -modified: 2022/07/27 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -16,11 +17,11 @@ logsource: detection: selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\w3wp.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: @@ -34,22 +35,18 @@ detection: - '\java.exe' - '\javaw.exe' CommandLine|contains: - - 'catalina.jar' - 'CATALINA_HOME' - recon: + - 'catalina.jar' + selection_recon: CommandLine|contains: - 'perl --help' + - 'perl -h' - 'python --help' - 'python -h' - 'python3 --help' - 'python3 -h' - 'wget --help' - - 'perl -h' - condition: 1 of selection* and recon -fields: - - Image - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and selection_recon falsepositives: - Unknown level: high From 3203805735b3e9b02a3446fa45eb6f5e3c043263 Mon Sep 17 00:00:00 2001 From: Mai Long <117887061+longmdx@users.noreply.github.com> Date: Fri, 10 Nov 2023 21:45:42 +0700 Subject: [PATCH 05/28] Merge PR #4548 from @longmdx - align with new smbexec release update: smbexec.py Service Installation - align with new smbexec release --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../win_system_hack_smbexec.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml index 4f18d93e4ed..8a39f3357dd 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml @@ -4,9 +4,11 @@ status: test description: Detects the use of smbexec.py tool by detecting a specific service installation references: - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ + - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296 + - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name author: Omer Faruk Celik date: 2018/03/20 -modified: 2022/03/21 +modified: 2023/11/09 tags: - attack.lateral_movement - attack.execution @@ -16,12 +18,16 @@ logsource: product: windows service: system detection: - selection: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 + selection_service_name: ServiceName: 'BTOBTO' - ImagePath|endswith: '\execute.bat' - condition: selection + selection_service_image: + ImagePath|contains: + - '.bat & del ' + - '__output 2^>^&1 >' + condition: selection_eid and 1 of selection_service_* falsepositives: - Unknown -level: critical +level: high From 309c2dee7f3fb56da08db0d91bdc9afed4f55d6c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 17:32:28 +0100 Subject: [PATCH 06/28] Merge PR #4560 from @nasbench - Fix FP Found In Testing & Other Rule Updates fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process update: ISO Image Mounted - Update title and add new filter update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../proc_creation_win_malware_notpetya.yml | 9 +- .../win_security_scheduled_task_deletion.yml | 1 + ...e_remote_thread_win_powershell_generic.yml | 5 +- ...file_event_win_scheduled_task_creation.yml | 1 + .../image_load_dll_system_drawing_load.yml | 1 + ...registry_event_scheduled_task_creation.yml | 3 +- .../security/win_security_iso_mount.yml | 15 ++-- ...ote_thread_win_powershell_susp_targets.yml | 13 +-- .../file_event_win_creation_system_file.yml | 5 +- ...ad_wmi_module_load_by_uncommon_process.yml | 36 ++------ .../proc_access_win_invoke_patchingapi.yml | 85 +++++++++---------- ...reation_win_gpg4win_portable_execution.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 25 +++--- .../proc_creation_win_whoami_susp_flags.yml | 5 +- ...tion_win_wmiprvse_susp_child_processes.yml | 11 ++- 15 files changed, 102 insertions(+), 119 deletions(-) rename {rules => rules-threat-hunting}/windows/builtin/security/win_security_scheduled_task_deletion.yml (98%) rename {rules => rules-threat-hunting}/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml (85%) rename {rules => rules-threat-hunting}/windows/file/file_event/file_event_win_scheduled_task_creation.yml (96%) rename {rules => rules-threat-hunting}/windows/image_load/image_load_dll_system_drawing_load.yml (97%) rename {rules => rules-threat-hunting}/windows/registry/registry_event/registry_event_scheduled_task_creation.yml (91%) diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index 6a6b45099a5..f4596170e37 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -20,11 +20,11 @@ logsource: category: process_creation product: windows detection: - selection_pattern: + selection_specific_pattern: CommandLine|contains: - 'wevtutil cl Application & fsutil usn deletejournal /D C:' - 'dllhost.dat %WINDIR%\ransoms' - selection_rundll32_dash1: + selection_rundll32: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' @@ -32,10 +32,7 @@ detection: - '.zip.dll",#1' selection_perfc_keyword: - '\perfc.dat' - condition: 1 of selection* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_* falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml similarity index 98% rename from rules/windows/builtin/security/win_security_scheduled_task_deletion.yml rename to rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 4a48af5b0b6..117a4da6568 100644 --- a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -13,6 +13,7 @@ tags: - attack.privilege_escalation - car.2013-08-001 - attack.t1053.005 + - detection.threat_hunting logsource: product: windows service: security diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml similarity index 85% rename from rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml rename to rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml index 5842c2f075d..e147ca2d5ad 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -9,10 +9,11 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community date: 2020/10/06 -modified: 2023/03/28 +modified: 2023/11/10 tags: - attack.execution - attack.t1059.001 + - detection.threat_hunting logsource: product: windows category: create_remote_thread @@ -22,7 +23,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' filter_main_compattelrunner: - SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml similarity index 96% rename from rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml rename to rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index dbcd9f762fe..5b6c2358a20 100644 --- a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -14,6 +14,7 @@ tags: - attack.t1053.005 - attack.s0111 - car.2013-08-001 + - detection.threat_hunting logsource: product: windows category: file_event diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml similarity index 97% rename from rules/windows/image_load/image_load_dll_system_drawing_load.yml rename to rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml index 51324c3207b..6aa25115889 100644 --- a/rules/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml @@ -11,6 +11,7 @@ modified: 2023/02/22 tags: - attack.collection - attack.t1113 + - detection.threat_hunting logsource: product: windows category: image_load diff --git a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml similarity index 91% rename from rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml rename to rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index f8a92e67956..116f3ab882f 100644 --- a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -14,6 +14,7 @@ tags: - attack.s0111 - attack.t1053.005 - car.2013-08-001 + - detection.threat_hunting logsource: product: windows category: registry_event @@ -24,5 +25,5 @@ detection: - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' condition: selection falsepositives: - - Normal behaviour on Windows + - Likely as this is a normal behaviour on Windows level: low diff --git a/rules/windows/builtin/security/win_security_iso_mount.yml b/rules/windows/builtin/security/win_security_iso_mount.yml index 7ee0b2dacc3..488a5ebcf6d 100644 --- a/rules/windows/builtin/security/win_security_iso_mount.yml +++ b/rules/windows/builtin/security/win_security_iso_mount.yml @@ -1,7 +1,7 @@ -title: ISO Image Mount +title: ISO Image Mounted id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 status: test -description: Detects the mount of ISO images on an endpoint +description: Detects the mount of an ISO image on an endpoint references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: Syed Hasan (@syedhasan009) date: 2021/05/29 -modified: 2022/10/05 +modified: 2023/11/09 tags: - attack.initial_access - attack.t1566.001 @@ -23,9 +23,12 @@ detection: ObjectServer: 'Security' ObjectType: 'File' ObjectName|startswith: '\Device\CdRom' - filter: - ObjectName: '\Device\CdRom0\setup.exe' - condition: selection and not filter + filter_main_generic: + ObjectName: + - '\Device\CdRom0\autorun.ico' + - '\Device\CdRom0\setup.exe' + - '\Device\CdRom0\setup64.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Software installation ISO files level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 0bf11257941..011535aa405 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -1,15 +1,15 @@ -title: Remote Thread Creation Via PowerShell In Rundll32 +title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar status: experimental -description: Detects the creation of a remote thread from a Powershell process in a rundll32 process +description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) date: 2018/06/25 -modified: 2023/03/28 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.execution @@ -23,8 +23,11 @@ detection: SourceImage|endswith: - '\powershell.exe' - '\pwsh.exe' - TargetImage|endswith: '\rundll32.exe' + TargetImage|endswith: + # Note: Please add additonal potential interesting targets to increase coverage + - '\rundll32.exe' + - '\regsvr32.exe' condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 302977a20c4..983af1f6173 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 -modified: 2023/10/18 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1036.005 @@ -123,7 +123,8 @@ detection: TargetFilename|endswith: '\SecurityHealthSystray.exe' Image|endswith: '\SecurityHealthSetup.exe' filter_main_wuaucltcore: - Image|endswith: ':\Windows\uus\AMD64\wuaucltcore.exe' + Image|contains: ':\Windows\uus\' + Image|endswith: '\wuaucltcore.exe' TargetFilename|contains: ':\$WinREAgent\' condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml index a1a6777d29b..b46db700f3c 100644 --- a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml +++ b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/10 -modified: 2023/08/08 +modified: 2023/11/07 tags: - attack.execution - attack.t1047 @@ -25,41 +25,15 @@ detection: - '\WMINet_Utils.dll' - '\wmiprov.dll' - '\wmiutils.dll' - filter_optional_generic: + filter_main_generic: Image|contains: - ':\Microsoft\Teams\current\Teams.exe' - ':\Microsoft\Teams\Update.exe' - ':\Windows\\explorer.exe' - ':\Windows\Sysmon.exe' - ':\Windows\Sysmon64.exe' - - ':\Windows\System32\CompatTelRunner.exe' - - ':\Windows\System32\DeviceCensus.exe' - - ':\Windows\System32\dfsrs.exe' - - ':\Windows\System32\dispdiag.exe' - - ':\Windows\System32\dxdiag.exe' - - ':\Windows\System32\gpresult.exe' - - ':\Windows\System32\logman.exe' - - ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - - ':\Windows\System32\sdiagnhost.exe' - - ':\Windows\System32\SecurityHealthService.exe' - - ':\Windows\System32\ServerManager.exe' - - ':\Windows\System32\SIHClient.exe' - - ':\Windows\System32\svchost.exe' - - ':\Windows\System32\systeminfo.exe' - - ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - - ':\Windows\System32\tasklist.exe' - - ':\Windows\System32\vds.exe' - - ':\Windows\System32\wbem\unsecapp.exe' - - ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 - - ':\Windows\System32\wbem\WmiApSrv.exe' - - ':\Windows\System32\wbem\WMIC.exe' - - ':\Windows\System32\wbem\WmiPrvSE.exe' - - ':\Windows\SysWOW64\explorer.exe' - - ':\Windows\SysWOW64\logman.exe' - - ':\Windows\SysWOW64\sdiagnhost.exe' - - ':\Windows\SysWOW64\svchost.exe' - - ':\Windows\SysWOW64\systeminfo.exe' - - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_optional_other: Image|endswith: - '\WindowsAzureGuestAgent.exe' @@ -79,7 +53,7 @@ detection: Image|contains: - ':\Program Files\' - ':\Program Files (x86)\' - condition: selection and not 1 of filter_optional_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: low diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 4f6fa422e58..b853faf8e5b 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/01/25 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1562.002 @@ -20,59 +20,58 @@ detection: CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' - filter_generic: + filter_main_generic: # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights - - SourceImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - TargetImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - filter_thor: - SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: '\thor64.exe' - filter_githubdesktop: - SourceImage|startswith: 'C:\Users\' - SourceImage|contains: '\AppData\Local\GitHubDesktop\app-' + - SourceImage|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + - TargetImage|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + filter_optional_thor: + SourceImage|endswith: + - '\thor.exe' + - '\thor64.exe' + filter_optional_githubdesktop: + SourceImage|contains|all: + - ':\Users\' + - '\AppData\Local\GitHubDesktop\app-' SourceImage|endswith: - '\GitHubDesktop.exe' - '\resources\app\git\usr\bin\sh.exe' - TargetImage|startswith: 'C:\Users\' - TargetImage|contains: '\AppData\Local\GitHubDesktop\app-' - filter_dotnet: - SourceImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' + TargetImage|contains|all: + - ':\Users\' + - '\AppData\Local\GitHubDesktop\app-' + filter_main_dotnet: + SourceImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' SourceImage|endswith: '\NGenTask.exe' - TargetImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' - filter_taskhost: - SourceImage: - - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Windows\system32\taskhost.exe' - TargetImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' + TargetImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' + filter_main_taskhost: + SourceImage|contains: + - ':\WINDOWS\system32\taskhostw.exe' + - ':\Windows\system32\taskhost.exe' + TargetImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' TargetImage|endswith: '\NGenTask.exe' - filter_teams_to_update: - SourceImage|startswith: 'C:\Users\' + filter_optional_teams_to_update: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' - TargetImage|startswith: 'C:\Users\' TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' - filter_teams_update_regsvr32: - SourceImage|startswith: 'C:\Users\' + filter_optional_teams_update_regsvr32: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' - TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe' - filter_teams_update_to_teams: - SourceImage|startswith: 'C:\Users\' + TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe' + filter_optional_teams_update_to_teams: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 71541371864..1dbc87389db 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/08/06 +modified: 2023/11/10 tags: - attack.impact - attack.t1486 @@ -23,8 +24,9 @@ detection: - Description: 'GnuPG’s OpenPGP tool' filter_main_legit_location: Image|contains: - - ':\Program Files (x86)\GnuPG\bin\' - ':\Program Files (x86)\GNU\GnuPG\bin\' + - ':\Program Files (x86)\GnuPG VS-Desktop\' + - ':\Program Files (x86)\GnuPG\bin\' - ':\Program Files (x86)\Gpg4win\bin\' condition: selection and not 1 of filter_main_* -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 70dff26fadf..5130e4700d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/01/25 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1218.011 @@ -26,30 +26,27 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_werfault: Image|endswith: '\WerFault.exe' CommandLine|endswith: 'WerFault.exe' - selection2: + selection_rundll32: Image|endswith: '\rundll32.exe' CommandLine|endswith: 'rundll32.exe' - selection3: + selection_regsvcs: Image|endswith: '\regsvcs.exe' CommandLine|endswith: 'regsvcs.exe' - selection4: + selection_regasm: Image|endswith: '\regasm.exe' CommandLine|endswith: 'regasm.exe' - selection5: + selection_regsvr32: Image|endswith: '\regsvr32.exe' CommandLine|endswith: 'regsvr32.exe' - filter_edge_update: - ParentImage|startswith: 'C:\Users\' - ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{' + filter_main_edge_update: + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' ParentImage|endswith: '\setup.exe' - ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\' - condition: 1 of selection* and not 1 of filter* -fields: - - ParentImage - - ParentCommandLine + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index d6b55155caa..7161f207d57 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -8,6 +8,7 @@ references: - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/02/28 +modified: 2023/11/10 tags: - attack.discovery - attack.t1033 @@ -26,9 +27,7 @@ detection: - ' /FO CSV' - ' -FO CSV' selection_special: - CommandLine|contains|all: - - 'whoami' - - '>' + CommandLine|contains: 'whoami*>' condition: all of selection_main_* or selection_special falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index f4f43b1742f..d65e301e7bd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -16,7 +16,7 @@ references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) date: 2021/08/23 -modified: 2023/03/23 +modified: 2023/11/10 tags: - attack.execution - attack.defense_evasion @@ -51,11 +51,14 @@ detection: - 'regsvr32' - 'rundll32' - 'wscript' - filter_werfault: + filter_main_werfault: Image|endswith: '\WerFault.exe' - filter_wmiprvse: + filter_main_wmiprvse: Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself - condition: selection_parent and 1 of selection_children_* and not 1 of filter_* + filter_main_msiexec: + Image|endswith: '\msiexec.exe' + CommandLine|contains: '/i ' + condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_* falsepositives: - Unknown level: high From e7d2bba8a298c78ed3d378fad2d07cfc1a07ea24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zach=20Mathis=20=28=E7=94=B0=E4=B8=AD=E3=82=B6=E3=83=83?= =?UTF-8?q?=E3=82=AF=29?= <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 11 Nov 2023 10:16:51 -0800 Subject: [PATCH 07/28] Merge PR #4563 from @YamatoSecurity - Remove erroneous extra asterisk fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...ation_win_webshell_susp_process_spawned_from_webserver.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index d772f5324f8..d0822cbd413 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -7,7 +7,7 @@ references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 -modified: 2023/11/09 +modified: 2023/11/11 tags: - attack.persistence - attack.t1505.003 @@ -81,7 +81,7 @@ detection: CommandLine|contains|all: - 'sc query' - 'ADManager Plus' - condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_** + condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_* falsepositives: - Particular web applications may spawn a shell process legitimately level: high From 099d435adc688e568ddad9297ae3548de119ebca Mon Sep 17 00:00:00 2001 From: Luca <150611686+CrimpSec@users.noreply.github.com> Date: Mon, 13 Nov 2023 05:43:55 -0500 Subject: [PATCH 08/28] Merge PR #4565 from @CrimpSec - Add UA related to PlugX backdoor update: APT User Agent - adding user agent associated with PlugX backdoor. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- rules/web/proxy_generic/proxy_ua_apt.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/web/proxy_generic/proxy_ua_apt.yml b/rules/web/proxy_generic/proxy_ua_apt.yml index eb6a9272b3f..23b44486058 100644 --- a/rules/web/proxy_generic/proxy_ua_apt.yml +++ b/rules/web/proxy_generic/proxy_ua_apt.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth (Nextron Systems), Markus Neis date: 2019/11/12 -modified: 2022/10/10 +modified: 2022/11/13 tags: - attack.command_and_control - attack.t1071.001 @@ -57,6 +57,7 @@ detection: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ + - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/ condition: selection fields: - ClientIP From 3c9e65b24bb415b70f1f92a492afef07a6ce7ebb Mon Sep 17 00:00:00 2001 From: AaronS97 <78826787+AaronS97@users.noreply.github.com> Date: Tue, 14 Nov 2023 02:32:29 -0600 Subject: [PATCH 09/28] Merge PR #4534 from @AaronS97 - Possible Excel DCOM Lateral Movement new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...win_office_excel_dcom_lateral_movement.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml diff --git a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml new file mode 100644 index 00000000000..a6b29db2175 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -0,0 +1,33 @@ +title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +id: 551d9c1f-816c-445b-a7a6-7a3864720d60 +status: experimental +description: | + Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. +references: + - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 + - https://github.com/grayhatkiller/SharpExShell + - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication +author: Aaron Stratton +date: 2023/11/13 +tags: + - attack.t1021.003 + - attack.lateral_movement +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\excel.exe' + selection_child: + - OriginalFileName: + - 'foxprow.exe' + - 'schdplus.exe' + - 'winproj.exe' + - Image|endswith: + - '\foxprow.exe' + - '\schdplus.exe' + - '\winproj.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high From f5553c037af898a03f135fe7577cf13a9173ef70 Mon Sep 17 00:00:00 2001 From: Thurein Oo <47708575+ThureinOo@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:11:49 +0630 Subject: [PATCH 10/28] Merge PR #4552 from @ThureinOo - Add Detection of CVE-2023-46747 Remote Code Execution new: CVE-2023-46747 Exploitation Activity - Proxy new: CVE-2023-46747 Exploitation Activity - Webserver new: F5 BIG-IP iControl Rest API Command Execution - Proxy new: F5 BIG-IP iControl Rest API Command Execution - Webserver --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../web_cve_2019_3398_confluence.yml | 3 -- ..._2021_21972_vsphere_unauth_rce_exploit.yml | 3 -- ...2021_21978_vmware_view_planner_exploit.yml | 3 -- ..._cve_2021_26084_confluence_rce_exploit.yml | 3 +- .../web_cve_2021_26858_iis_rce.yml | 1 + .../web_cve_2021_28480_exchange_exploit.yml | 4 +- ...b_cve_2021_33766_msexchange_proxytoken.yml | 9 ++--- .../web_exchange_exploitation_hafnium.yml | 14 +++---- .../web_cve_2022_21587_oracle_ebs.yml | 2 - .../web_cve_2022_27925_exploit.yml | 2 +- .../web_exchange_owassrf_exploitation.yml | 4 +- ...ve_2023_46747_f5_remote_code_execution.yml | 38 +++++++++++++++++++ ...ve_2023_46747_f5_remote_code_execution.yml | 38 +++++++++++++++++++ .../web/proxy_generic/proxy_cobalt_amazon.yml | 6 +-- .../proxy_empire_ua_uri_combos.yml | 3 -- .../proxy_exchange_owassrf_exploitation.yml | 4 +- .../proxy_f5_tm_utility_bash_api_request.yml | 26 +++++++++++++ .../web_f5_tm_utility_bash_api_request.yml | 26 +++++++++++++ 18 files changed, 151 insertions(+), 38 deletions(-) create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml create mode 100644 rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml create mode 100644 rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml index 7fc9192b4ad..7210477bd9e 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml @@ -21,9 +21,6 @@ detection: - '/upload.action' - 'filename=../../../../' condition: selection -fields: - - c-ip - - c-dns falsepositives: - Unknown level: critical diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml index 25913ffb6b0..2d26b9c5223 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml @@ -21,9 +21,6 @@ detection: cs-method: 'POST' cs-uri-query: '/ui/vropspluginui/rest/services/uploadova' condition: selection -fields: - - c-ip - - c-dns falsepositives: - OVA uploads to your VSphere appliance level: high diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml index e37fe0eb50a..b98bf2ccb91 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -23,9 +23,6 @@ detection: - 'logMetaData' - 'wsgi_log_upload.py' condition: selection -fields: - - c-ip - - c-dns falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml index b9d335b7a98..e639c9595e0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml @@ -1,7 +1,7 @@ title: Potential CVE-2021-26084 Exploitation Attempt id: 38825179-3c78-4fed-b222-2e2166b926b1 -description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection status: experimental +description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection references: - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md @@ -17,6 +17,7 @@ tags: - detection.emerging_threats logsource: category: webserver + definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection' detection: selection_main: cs-method: 'POST' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml index d94bfd9a4c7..d71abd00859 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml @@ -14,6 +14,7 @@ tags: - attack.t1190 logsource: category: webserver + definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' detection: selection: cs-method: 'POST' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml index 36408f1c62a..f0fa5faaf8b 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml @@ -18,9 +18,9 @@ detection: selection: cs-uri-query|contains: '/owa/calendar/a' cs-method: 'POST' - filter: + filter_main_status: sc-status: 503 - condition: selection and not filter + condition: selection and not 1 of filter_* falsepositives: - Unknown level: critical diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml index 65d9e2c0488..9412e771010 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml @@ -15,21 +15,18 @@ tags: logsource: category: webserver detection: - selection1: + selection_1: cs-method: 'POST' cs-uri-query|contains|all: - '/ecp/' - '/RulesEditor/InboxRules.svc/NewObject' sc-status: 500 - selection2: + selection_2: cs-uri-query|contains|all: - 'SecurityToken=' - '/ecp/' sc-status: 500 - condition: selection1 or selection2 -fields: - - c-ip - - c-dns + condition: 1 of selection_* falsepositives: - Unknown level: critical diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml index b4ce41003c3..b5bd44e997d 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml @@ -15,10 +15,10 @@ tags: logsource: category: webserver detection: - selection1: + selection_1: cs-method: 'POST' cs-uri-query|contains: '/owa/auth/Current/themes/resources/' - selection2: + selection_2: cs-method: 'POST' cs-uri-query|contains: '/owa/auth/Current/' cs-user-agent: @@ -31,14 +31,14 @@ detection: - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)' - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)' - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' - selection3: + selection_3: cs-uri-query|contains: '/ecp/' cs-method: 'POST' cs-user-agent: - 'ExchangeServicesClient/0.0.0.0' - 'python-requests/2.19.1' - 'python-requests/2.25.1' - selection4: + selection_4: cs-uri-query|contains: - '/aspnet_client/' - '/owa/' @@ -47,18 +47,18 @@ detection: - 'antSword/v2.1' - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' - selection5: + selection_5: cs-uri-query|contains: - '/owa/auth/Current/' - '/ecp/default.flt' - '/ecp/main.css' cs-method: 'POST' - selection6: + selection_6: cs-method: 'POST' cs-uri-query|contains|all: - '/ecp/' - '.js' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related level: high diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml index 82e3f69c27f..c612ec07464 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml @@ -25,8 +25,6 @@ detection: - '/OA_HTML/BneDownloadService?bne:uueupload=TRUE' - '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE' condition: selection -fields: - - src_ip falsepositives: - Vulnerability Scanners level: high diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index 49746fb1130..8902fad19a0 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -32,7 +32,7 @@ detection: cs-uri-query|contains: '/zimbraAdmin/' cs-uri-query|endswith: '.jsp' sc-status|contains: '200' - condition: selection_servlet or selection_shell + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml index 9b05e9bf3a9..89ef59b0358 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml @@ -24,12 +24,12 @@ detection: cs-uri-query|contains: - '@' - '%40' - filter: + filter_main_ua: cs-user-agent: - 'ClientInfo' - 'Microsoft WinRM Client' - 'Exchange BackEnd Probes' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Web vulnerability scanners level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml new file mode 100644 index 00000000000..2f0091f14c7 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml @@ -0,0 +1,38 @@ +title: CVE-2023-46747 Exploitation Activity - Proxy +id: f195b2ff-e542-41bf-8d91-864fb81e5c20 +related: + - id: e9928831-ba14-42ea-a4bc-33d352b9929a + type: similar +status: experimental +description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. +references: + - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main + - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml + - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg + - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/08 +tags: + - attack.initial_access + - attack.t1190 + - detection.emerging_threats + - cve.2023.46747 +logsource: + category: proxy + definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/mgmt/tm/util/bash' + keywords_hex: + '|all': + - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form + - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp + keywords_plain: + '|all': + - '/tmui/Control/form' + - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp' + condition: selection and (keywords_hex or keywords_plain) +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml new file mode 100644 index 00000000000..e839e5e08dd --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml @@ -0,0 +1,38 @@ +title: CVE-2023-46747 Exploitation Activity - Webserver +id: e9928831-ba14-42ea-a4bc-33d352b9929a +related: + - id: f195b2ff-e542-41bf-8d91-864fb81e5c20 + type: similar +status: experimental +description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. +references: + - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main + - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml + - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg + - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/08 +tags: + - attack.initial_access + - attack.t1190 + - detection.emerging_threats + - cve.2023.46747 +logsource: + category: webserver + definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' +detection: + selection: + cs-method: 'POST' + cs-uri-stem|contains: '/mgmt/tm/util/bash' + keywords_hex: + '|all': + - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form + - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp + keywords_plain: + '|all': + - '/tmui/Control/form' + - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp' + condition: selection and (keywords_hex or keywords_plain) +falsepositives: + - Unlikely +level: high diff --git a/rules/web/proxy_generic/proxy_cobalt_amazon.yml b/rules/web/proxy_generic/proxy_cobalt_amazon.yml index c1c6835b370..419dc177f43 100644 --- a/rules/web/proxy_generic/proxy_cobalt_amazon.yml +++ b/rules/web/proxy_generic/proxy_cobalt_amazon.yml @@ -15,18 +15,18 @@ tags: logsource: category: proxy detection: - selection1: + selection_1: c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' cs-method: 'GET' c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' cs-host: 'www.amazon.com' cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' - selection2: + selection_2: c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' cs-method: 'POST' c-uri: '/N4215/adj/amzn.us.sr.aps' cs-host: 'www.amazon.com' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml b/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml index c2cb077e088..0bdd09f1a79 100644 --- a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml +++ b/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml @@ -22,9 +22,6 @@ detection: - '/login/process.php' cs-method: 'POST' condition: selection -fields: - - c-uri - - c-ip falsepositives: - Valid requests with this exact user agent to server scripts of the defined names level: high diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml index fca3b416ad1..93a744cd75d 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml @@ -22,12 +22,12 @@ detection: c-uri|contains: - '@' - '%40' - filter: + filter_main_ua: c-useragent: - 'ClientInfo' - 'Microsoft WinRM Client' - 'Exchange BackEnd Probes' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Web vulnerability scanners level: high diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml new file mode 100644 index 00000000000..ade684022fd --- /dev/null +++ b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml @@ -0,0 +1,26 @@ +title: F5 BIG-IP iControl Rest API Command Execution - Proxy +id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 +related: + - id: 85254a62-22be-4239-b79c-2ec17e566c37 + type: similar +status: experimental +description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP +references: + - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash + - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 + - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 +author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +date: 2023/11/08 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: proxy +detection: + selection: + cs-method: 'POST' + c-uri|endswith: '/mgmt/tm/util/bash' + condition: selection +falsepositives: + - Legitimate usage of the BIG IP REST API to execute command for administration purposes +level: medium diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml new file mode 100644 index 00000000000..17e3291c6d0 --- /dev/null +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -0,0 +1,26 @@ +title: F5 BIG-IP iControl Rest API Command Execution - Webserver +id: 85254a62-22be-4239-b79c-2ec17e566c37 +related: + - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 + type: similar +status: experimental +description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP +references: + - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash + - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 + - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 +author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +date: 2023/11/08 +tags: + - attack.execution + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + cs-uri-query|endswith: '/mgmt/tm/util/bash' + condition: selection +falsepositives: + - Legitimate usage of the BIG IP REST API to execute command for administration purposes +level: medium From fc716d14f6a42a258d732b0c6642b4e5d82f0c1b Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Tue, 14 Nov 2023 14:31:39 +0545 Subject: [PATCH 11/28] Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules new: Arbitrary File Download Via IMEWDBLD.EXE new: Arbitrary File Download Via MSEDGE_PROXY.EXE new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e" new: Msxsl.EXE Execution new: Potential File Download Via MS-AppInstaller Protocol Handler new: Remote XSL Execution Via Msxsl.EXE update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title update: Arbitrary File Download Via MSOHTMED.EXE - Update title update: Arbitrary File Download Via PresentationHost.EXE - Update title update: File Download And Execution Via IEExec.EXE - Update title and description update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1" update: File Download Via InstallUtil.EXE - Update title and description update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c" update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enahnce false positives filters update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0" --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...ler.yml => dns_query_win_appinstaller.yml} | 10 +++-- .../net_connection_win_imewdbld.yml | 11 +++-- ...tion_win_appvlp_uncommon_child_process.yml | 43 ++++++++++++++++++ ...tion_win_browsers_inline_file_download.yml | 12 ++--- ... proc_creation_win_calc_uncommon_exec.yml} | 17 +++---- ... => proc_creation_win_ieexec_download.yml} | 13 +++--- .../proc_creation_win_imewbdld_download.yml | 32 ++++++++++++++ ...roc_creation_win_installutil_download.yml} | 8 ++-- .../proc_creation_win_lolbin_appvlp.yml | 33 -------------- ..._win_mpcmdrun_download_arbitrary_file.yml} | 15 ++++--- ...roc_creation_win_msedge_proxy_download.yml | 27 ++++++++++++ ...> proc_creation_win_msohtmed_download.yml} | 7 +-- ...l => proc_creation_win_mspub_download.yml} | 4 +- .../proc_creation_win_msxsl_execution.yml | 26 +++++++++++ ...oc_creation_win_msxsl_remote_execution.yml | 23 ++++++++++ ...reation_win_presentationhost_download.yml} | 5 ++- ...esentationhost_uncommon_location_exec.yml} | 14 +++--- ...creation_win_protocolhandler_download.yml} | 18 ++++---- .../proc_creation_win_squirrel_download.yml | 40 +++++++++++++++++ ...creation_win_squirrel_proxy_execution.yml} | 36 +++++++-------- ...tion_win_susp_electron_exeuction_proxy.yml | 44 +++++++++++++------ ...tion_win_susp_ms_appinstaller_download.yml | 29 ++++++++++++ ...reation_win_wmic_xsl_script_processing.yml | 18 ++++---- 23 files changed, 352 insertions(+), 133 deletions(-) rename rules/windows/dns_query/{dns_query_win_lolbin_appinstaller.yml => dns_query_win_appinstaller.yml} (61%) create mode 100644 rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml rename rules/windows/process_creation/{proc_creation_win_susp_calc.yml => proc_creation_win_calc_uncommon_exec.yml} (53%) rename rules/windows/process_creation/{proc_creation_win_lolbin_ieexec_download.yml => proc_creation_win_ieexec_download.yml} (78%) create mode 100644 rules/windows/process_creation/proc_creation_win_imewbdld_download.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_installutil_download.yml => proc_creation_win_installutil_download.yml} (72%) delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_susp_mpcmdrun_download.yml => proc_creation_win_mpcmdrun_download_arbitrary_file.yml} (69%) create mode 100644 rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_msohtmed_download.yml => proc_creation_win_msohtmed_download.yml} (86%) rename rules/windows/process_creation/{proc_creation_win_lolbin_mspub_download.yml => proc_creation_win_mspub_download.yml} (95%) create mode 100644 rules/windows/process_creation/proc_creation_win_msxsl_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_presentationhost_download.yml => proc_creation_win_presentationhost_download.yml} (87%) rename rules/windows/process_creation/{proc_creation_win_lolbin_presentationhost.yml => proc_creation_win_presentationhost_uncommon_location_exec.yml} (61%) rename rules/windows/process_creation/{proc_creation_win_lolbin_protocolhandler_download.yml => proc_creation_win_protocolhandler_download.yml} (59%) create mode 100644 rules/windows/process_creation/proc_creation_win_squirrel_download.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_squirrel.yml => proc_creation_win_squirrel_proxy_execution.yml} (67%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml diff --git a/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml b/rules/windows/dns_query/dns_query_win_appinstaller.yml similarity index 61% rename from rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml rename to rules/windows/dns_query/dns_query_win_appinstaller.yml index 6bd3dfe0faf..013d7b7e590 100644 --- a/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_appinstaller.yml @@ -1,13 +1,17 @@ -title: AppX Package Installation Attempts Via AppInstaller +title: AppX Package Installation Attempts Via AppInstaller.EXE id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a +related: + - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b + type: derived status: test -description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL +description: | + Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 date: 2021/11/24 -modified: 2023/01/12 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index 0aff7e5523e..d100266d32b 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -1,12 +1,16 @@ -title: Download a File with IMEWDBLD.exe +title: Network Connection Initiated By IMEWDBLD.EXE id: 8d7e392e-9b28-49e1-831d-5949c6281228 +related: + - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af + type: derived status: test -description: Use IMEWDBLD.exe (built-in to windows) to download a file +description: Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: frack113 date: 2022/01/22 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -19,5 +23,6 @@ detection: Image|endswith: '\IMEWDBLD.exe' condition: selection falsepositives: - - Legitimate script + - Unknown +# Note: Please reduce this to medium if you find legitimate connections level: high diff --git a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml new file mode 100644 index 00000000000..51575fa0633 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -0,0 +1,43 @@ +title: Uncommon Child Process Of Appvlp.EXE +id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 +status: test +description: | + Detects uncommon child processes of Appvlp.EXE + Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. + Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder + or to mark a file as a system file. +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ +author: Sreeman +date: 2020/03/13 +modified: 2023/11/09 +tags: + - attack.t1218 + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\appvlp.exe' + # Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/ + filter_main_generic: + Image|endswith: + - ':\Windows\SysWOW64\rundll32.exe' + - ':\Windows\System32\rundll32.exe' + filter_optional_office_msoasb: + Image|contains: ':\Program Files\Microsoft Office' + Image|endswith: '\msoasb.exe' + filter_optional_office_skype: + Image|contains|all: + - ':\Program Files\Microsoft Office' + - '\SkypeSrv\' + Image|endswith: '\SKYPESERVER.EXE' + filter_optional_office_msouc: + Image|contains: ':\Program Files\Microsoft Office' + Image|endswith: '\MSOUC.EXE' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml index 51ce924610b..a2c0f412229 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -1,4 +1,4 @@ -title: File Download From Browser Process Via Inline Link +title: File Download From Browser Process Via Inline URL id: 94771a71-ba41-4b6e-a757-b531372eaab6 status: test description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/11 -modified: 2023/04/06 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -23,14 +23,16 @@ detection: - '\opera.exe' - '\vivaldi.exe' selection_http: - CommandLine|contains: ' http' - selection_ext: - CommandLine|contains: + CommandLine|contains: 'http' + selection_extensions: + CommandLine|endswith: + - '.7z' - '.dat' - '.dll' - '.exe' - '.hta' - '.ps1' + - '.psm1' - '.txt' - '.vbe' - '.vbs' diff --git a/rules/windows/process_creation/proc_creation_win_susp_calc.yml b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml similarity index 53% rename from rules/windows/process_creation/proc_creation_win_susp_calc.yml rename to rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml index 0745eca5cf7..d0be2aabea7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_calc.yml +++ b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -1,12 +1,13 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 status: test -description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion +description: | + Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) date: 2019/02/09 -modified: 2022/11/07 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1036 @@ -18,12 +19,12 @@ detection: CommandLine|contains: '\calc.exe ' selection_2: Image|endswith: '\calc.exe' - filter_2: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - condition: selection_1 or ( selection_2 and not filter_2 ) + filter_main_known_locations: + Image|contains: + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + - ':\Windows\WinSxS\' + condition: selection_1 or ( selection_2 and not filter_main_known_locations ) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml similarity index 78% rename from rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml rename to rules/windows/process_creation/proc_creation_win_ieexec_download.yml index 03e9a3807ea..0aa8f9912e9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml +++ b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml @@ -1,11 +1,12 @@ -title: Abusing IEExec To Download Payloads +title: File Download And Execution Via IEExec.EXE id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad status: test -description: Detects execution of the IEExec utility to download payloads +description: Detects execution of the IEExec utility to download and execute files references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -13,14 +14,14 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection_img: - Image|endswith: '\IEExec.exe' - OriginalFileName: 'IEExec.exe' - remote: + selection_cli: CommandLine|contains: - - 'https://' - 'http://' - condition: lolbas and remote + - 'https://' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml new file mode 100644 index 00000000000..b1865c6cb8b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -0,0 +1,32 @@ +title: Arbitrary File Download Via IMEWDBLD.EXE +id: 863218bd-c7d0-4c52-80cd-0a96c09f54af +related: + - id: 8d7e392e-9b28-49e1-831d-5949c6281228 + type: derived +status: experimental +description: Detects usage of "IMEWDBLD.exe" to download arbitrary files +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\IMEWDBLD.exe' + - OriginalFileName: 'imewdbld.exe' + selection_cli: + CommandLine|contains: + - 'http://' + - 'https://' + condition: all of selection_* +falsepositives: + - Unknown +# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml b/rules/windows/process_creation/proc_creation_win_installutil_download.yml similarity index 72% rename from rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml rename to rules/windows/process_creation/proc_creation_win_installutil_download.yml index e484dcf8ea7..9c4d2823dc5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_installutil_download.yml @@ -1,11 +1,13 @@ -title: Suspicious Execution of InstallUtil To Download +title: File Download Via InstallUtil.EXE id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc status: test -description: Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ +description: | + Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -18,9 +20,9 @@ detection: - OriginalFileName: 'InstallUtil.exe' selection_cli: CommandLine|contains: + - 'ftp://' - 'http://' - 'https://' - - 'ftp://' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml deleted file mode 100644 index 6bd179fffe1..00000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Using AppVLP To Circumvent ASR File Path Rule -id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: test -description: | - Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands. - Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder - or to mark a file as a system file. -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ -author: Sreeman -date: 2020/03/13 -modified: 2022/12/29 -tags: - - attack.t1218 - - attack.defense_evasion - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\appvlp.exe' - filter: - # Based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/ - Image|endswith: - - '\msoasb.exe' - - '\rundll32.exe' - # - 'SKYPESERVER.EXE' # Rare comment it out if you experience FP - # - 'MSOUC.EXE' # Rare comment it out if you experience FP - condition: selection and not filter -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml similarity index 69% rename from rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml rename to rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 4592b6b94fa..f2bcb57760a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -1,12 +1,13 @@ -title: Windows Defender Download Activity +title: File Download Via Windows Defender MpCmpRun.EXE id: 46123129-1024-423e-9fae-43af4a0fa9a5 status: test -description: Detect the use of Windows Defender to download payloads +description: Detects the use of Windows Defender MpCmdRun.EXE to download files references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ author: Matthew Matchen date: 2020/09/04 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -16,16 +17,16 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_img: + - OriginalFileName: 'MpCmdRun.exe' + - Image|endswith: '\MpCmdRun.exe' - CommandLine|contains: 'MpCmdRun.exe' - Description: 'Microsoft Malware Protection Command Line Utility' - selection2: + selection_cli: CommandLine|contains|all: - 'DownloadFile' - 'url' - condition: all of selection* -fields: - - CommandLine + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml new file mode 100644 index 00000000000..c3368ab67cc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -0,0 +1,27 @@ +title: Arbitrary File Download Via MSEDGE_PROXY.EXE +id: e84d89c4-f544-41ca-a6af-4b92fd38b023 +status: experimental +description: Detects usage of "msedge_proxy.exe" to download arbitrary files +references: + - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\msedge_proxy.exe' + - OriginalFileName: 'msedge_proxy.exe' + selection_cli: + CommandLine|contains: + - 'http://' + - 'https://' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml similarity index 86% rename from rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml rename to rules/windows/process_creation/proc_creation_win_msohtmed_download.yml index 9730bcc3a55..eda88d25774 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via MSOHTMED.EXE +title: Arbitrary File Download Via MSOHTMED.EXE id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d status: test description: Detects usage of "MSOHTMED" to download arbitrary files @@ -6,6 +6,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -19,10 +20,10 @@ detection: - OriginalFileName: 'MsoHtmEd.exe' selection_cli: CommandLine|contains: + - 'ftp://' - 'http://' - 'https://' - - 'ftp://' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_mspub_download.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml rename to rules/windows/process_creation/proc_creation_win_mspub_download.yml index c4f5df0671a..97ad73975c5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_mspub_download.yml @@ -20,10 +20,10 @@ detection: - OriginalFileName: 'MSPUB.exe' selection_cli: CommandLine|contains: + - 'ftp://' - 'http://' - 'https://' - - 'ftp://' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml new file mode 100644 index 00000000000..7eed7a1696f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml @@ -0,0 +1,26 @@ +title: Msxsl.EXE Execution +id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 +status: test +description: | + Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. + Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msxsl.exe' + condition: selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml new file mode 100644 index 00000000000..8a0af8241dd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -0,0 +1,23 @@ +title: Remote XSL Execution Via Msxsl.EXE +id: 75d0a94e-6252-448d-a7be-d953dff527bb +status: experimental +description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\msxsl.exe' + CommandLine|contains: 'http' + condition: selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml similarity index 87% rename from rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml rename to rules/windows/process_creation/proc_creation_win_presentationhost_download.yml index f64c8ce3c43..9c4be72ddac 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via PresentationHost.exe +title: Arbitrary File Download Via PresentationHost.EXE id: b124ddf4-778d-418e-907f-6dd3fc0d31cd status: test description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files @@ -6,6 +6,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -22,7 +23,7 @@ detection: - 'http://' - 'https://' - 'ftp://' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml similarity index 61% rename from rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml rename to rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index 677e85c21fd..cfe575b762a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -1,11 +1,13 @@ -title: Application Whitelisting Bypass via PresentationHost.exe +title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f status: test -description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files. It can be abused to run malicious ".xbap" files any bypass AWL +description: | + Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/01 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -19,11 +21,11 @@ detection: - OriginalFileName: 'PresentationHost.exe' selection_cli: CommandLine|contains: '.xbap' - filter: + filter_main_generic: CommandLine|contains: # Filter out legitimate locations if you find them - - 'C:\Windows\' - - 'C:\Program Files' - condition: all of selection* and not filter + - ' C:\Windows\' + - ' C:\Program Files' + condition: all of selection* and not 1 of filter_main_* falsepositives: - Legitimate ".xbap" being executed via "PresentationHost" level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml similarity index 59% rename from rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml rename to rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml index 141c60a9eab..25a584c82cd 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml @@ -1,13 +1,14 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb status: test -description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) +description: | + Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ author: frack113 date: 2021/07/13 -modified: 2022/12/31 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -18,13 +19,12 @@ detection: selection_img: - Image|endswith: '\protocolhandler.exe' - OriginalFileName: 'ProtocolHandler.exe' - selection_cli_1: - CommandLine|contains|all: - - '"ms-word' - - '.docx"' - selection_cli_2: - CommandLine|contains: ' http' # Cover http and https - condition: selection_img and 1 of selection_cli_* + selection_cli: + CommandLine|contains: + - 'ftp://' + - 'http://' + - 'https://' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml new file mode 100644 index 00000000000..f12306af17c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -0,0 +1,40 @@ +title: Arbitrary File Download Via Squirrel.EXE +id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c +related: + - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes +status: experimental +description: | + Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +date: 2022/06/09 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: + - '\squirrel.exe' + - '\update.exe' + selection_download_cli: + CommandLine|contains: + - ' --download ' + - ' --update ' + - ' --updateRollback=' + selection_download_http_keyword: + CommandLine|contains: 'http' + condition: all of selection_* +falsepositives: + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml rename to rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 84147ef26b5..706757b4ca3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -1,17 +1,20 @@ -title: Use of Squirrel.exe +title: Process Proxy Execution Via Squirrel.EXE id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: + - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c + type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes status: experimental -description: Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.) +description: | + Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 -modified: 2023/03/22 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -24,49 +27,42 @@ detection: Image|endswith: - '\squirrel.exe' - '\update.exe' - selection_download_cli: - CommandLine|contains: - - ' --download ' - - ' --update ' - - ' --updateRollback=' - selection_download_http_keyword: - CommandLine|contains: 'http' selection_exec: CommandLine|contains: - '--processStart' - '--processStartAndWait' - '--createShortcut' - filter_discord: + filter_optional_discord: CommandLine|contains|all: - - 'C:\Users\' + - ':\Users\' - '\AppData\Local\Discord\Update.exe' - ' --processStart' - 'Discord.exe' - filter_github_desktop: + filter_optional_github_desktop: CommandLine|contains|all: - - 'C:\Users\' + - ':\Users\' - '\AppData\Local\GitHubDesktop\Update.exe' - 'GitHubDesktop.exe' CommandLine|contains: - '--createShortcut' - '--processStartAndWait' - filter_teams: + filter_optional_teams: CommandLine|contains|all: - - 'C:\Users\' + - ':\Users\' - '\AppData\Local\Microsoft\Teams\Update.exe' - 'Teams.exe' CommandLine|contains: - '--processStart' - '--createShortcut' - filter_yammer: + filter_optional_yammer: CommandLine|contains|all: - - 'C:\Users\' + - ':\Users\' - '\AppData\Local\yammerdesktop\Update.exe' - 'Yammer.exe' CommandLine|contains: - '--processStart' - '--createShortcut' - condition: selection_img and (all of selection_download_* or selection_exec) and not 1 of filter_* + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - - Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index 1e96f4e4814..ef096ea1cac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -14,31 +14,47 @@ references: - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/09/05 +modified: 2023/11/09 tags: - attack.execution logsource: category: process_creation product: windows detection: - selection: - Image|endswith: - # Add more electron based app to the list - - '\chrome.exe' - - '\code.exe' - - '\discord.exe' - - '\GitHubDesktop.exe' - - '\keybase.exe' - - '\msedge.exe' - - '\msedgewebview2.exe' - - '\msteams.exe' - - '\slack.exe' - - '\Teams.exe' + selection_img: + - Image|endswith: + # Add more electron based app to the list + - '\chrome.exe' + - '\code.exe' + - '\discord.exe' + - '\GitHubDesktop.exe' + - '\keybase.exe' + - '\msedge_proxy.exe' + - '\msedge.exe' + - '\msedgewebview2.exe' + - '\msteams.exe' + - '\slack.exe' + - '\Teams.exe' + - OriginalFileName: + # Add more electron based app to the list + - 'chrome.exe' + - 'code.exe' + - 'discord.exe' + - 'GitHubDesktop.exe' + - 'keybase.exe' + - 'msedge_proxy.exe' + - 'msedge.exe' + - 'msedgewebview2.exe' + - 'msteams.exe' + - 'slack.exe' + - 'Teams.exe' + selection_cli: CommandLine|contains: - '--browser-subprocess-path' - '--gpu-launcher' - '--renderer-cmd-prefix' - '--utility-cmd-prefix' - condition: selection + condition: all of selection_* falsepositives: - Legitimate usage for debugging purposes # Increase the level once FP rate is known better (see status) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml new file mode 100644 index 00000000000..98220bde896 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -0,0 +1,29 @@ +title: Potential File Download Via MS-AppInstaller Protocol Handler +id: 180c7c5c-d64b-4a63-86e9-68910451bc8b +related: + - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a + type: derived +status: experimental +description: | + Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE + The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" +references: + - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'ms-appinstaller://?source=' + - 'http' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index fcc0d9b6124..e978dae8e46 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -1,12 +1,15 @@ -title: XSL Script Processing +title: XSL Script Execution Via WMIC.EXE id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: test -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +description: | + Detects the execution of WMIC with the "format" flag to potentially load XSL files. + Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. + Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel date: 2019/10/21 -modified: 2023/04/21 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1220 @@ -14,14 +17,12 @@ logsource: category: process_creation product: windows detection: - selection_wmic: + selection: Image|endswith: '\wmic.exe' CommandLine|contains: - '/format' # wmic process list /FORMAT /? - '-format' # wmic process list -FORMAT /? - selection_msxsl: - Image|endswith: '\msxsl.exe' - false_positives: + filter_main_known_format: CommandLine|contains: - 'Format:List' - 'Format:htable' @@ -32,9 +33,8 @@ detection: - 'Format:rawxml' - 'Format:xml' - 'Format:csv' - condition: (selection_wmic and not false_positives) or selection_msxsl + condition: selection and not 1 of filter_main_* falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - Msxsl.exe is not installed by default, so unlikely. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium From c7892119bd37edac44a2f657c0b76c72056ef892 Mon Sep 17 00:00:00 2001 From: Andreas Braathen <103580973+netgrain@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:33:16 +0100 Subject: [PATCH 12/28] Merge PR #4567 from @netgrain - Adding analytics for CVE-2023-22518 new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._2023_22518_confluence_java_child_proc.yml | 41 ++++++++++++++++++ ...023_22518_confluence_tomcat_child_proc.yml | 43 +++++++++++++++++++ ..._cve_2023_22518_confluence_auth_bypass.yml | 42 ++++++++++++++++++ ..._cve_2023_22518_confluence_auth_bypass.yml | 42 ++++++++++++++++++ ...3261_milesight_information_disclosure.yml} | 0 ...3261_milesight_information_disclosure.yml} | 0 6 files changed, 168 insertions(+) create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml rename rules-emerging-threats/2023/Exploits/CVE-2023-43261/{proxy_cve_2023_43261_milesight_information_disclosure.yml => proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml} (100%) rename rules-emerging-threats/2023/Exploits/CVE-2023-43261/{web_cve_2023_43261_milesight_information_disclosure.yml => web_exploit_cve_2023_43261_milesight_information_disclosure.yml} (100%) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml new file mode 100644 index 00000000000..244cb6ae49f --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml @@ -0,0 +1,41 @@ +title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) +id: f8987c03-4290-4c96-870f-55e75ee377f4 +related: + - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db + type: similar +status: experimental +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +references: + - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html + - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment + - https://github.com/ForceFledgling/CVE-2023-22518 +author: Andreas Braathen (mnemonic.io) +date: 2023/11/14 +tags: + - detection.emerging_threats + - attack.execution + - attack.t1059 + - attack.initial_access + - attack.t1190 + - cve.2023.22518 +logsource: + category: process_creation + product: linux +detection: + selection_parent: + ParentImage|endswith: '/java' + ParentCommandLine|contains: 'confluence' + selection_child: + # Only children associated with known campaigns + Image|endswith: + - '/bash' + - '/curl' + - '/echo' + - '/wget' + filter_main_ulimit: + CommandLine|contains: 'ulimit -u' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml new file mode 100644 index 00000000000..0177ca6d902 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -0,0 +1,43 @@ +title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) +id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db +related: + - id: f8987c03-4290-4c96-870f-55e75ee377f4 + type: similar +status: experimental +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +references: + - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html + - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment + - https://github.com/ForceFledgling/CVE-2023-22518 +author: Andreas Braathen (mnemonic.io) +date: 2023/11/14 +tags: + - detection.emerging_threats + - attack.execution + - attack.t1059 + - attack.initial_access + - attack.t1190 + - cve.2023.22518 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + - '\tomcat8.exe' + - '\tomcat9.exe' + - '\tomcat10.exe' + ParentCommandLine|contains: 'confluence' + selection_child: + # Note: Only children associated with known campaigns + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - OriginalFileName: + - 'Cmd.Exe' + - 'PowerShell.EXE' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml new file mode 100644 index 00000000000..7abb0ab2c76 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -0,0 +1,42 @@ +title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) +id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 +related: + - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c + type: similar +status: experimental +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +references: + - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html + - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment + - https://github.com/ForceFledgling/CVE-2023-22518 +author: Andreas Braathen (mnemonic.io) +date: 2023/11/14 +tags: + - detection.emerging_threats + - attack.initial_access + - attack.t1190 + - cve.2023.22518 +logsource: + category: proxy +detection: + selection_method: + cs-method: 'POST' + selection_uris: + cs-uri|contains: + # Exploitable endpoints + - '/json/setup-restore-local.action' + - '/json/setup-restore-progress.action' + - '/json/setup-restore.action' + - '/server-info.action' + - '/setup/setupadministrator.action' + selection_status: + # Response code may be indicative of exploitation success, but is not always the case + sc-status: + - 200 + - 302 + - 405 + condition: all of selection_* +falsepositives: + - Vulnerability scanners +level: medium diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml new file mode 100644 index 00000000000..431dcd2e524 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -0,0 +1,42 @@ +title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) +id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c +related: + - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 + type: similar +status: experimental +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +references: + - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html + - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment + - https://github.com/ForceFledgling/CVE-2023-22518 +author: Andreas Braathen (mnemonic.io) +date: 2023/11/14 +tags: + - detection.emerging_threats + - attack.initial_access + - attack.t1190 + - cve.2023.22518 +logsource: + category: webserver +detection: + selection_method: + cs-method: 'POST' + selection_uris: + cs-uri-query|contains: + # Exploitable endpoints + - '/json/setup-restore-local.action' + - '/json/setup-restore-progress.action' + - '/json/setup-restore.action' + - '/server-info.action' + - '/setup/setupadministrator.action' + selection_status: + # Response code may be indicative of exploitation success, but is not always the case + sc-status: + - 200 + - 302 + - 405 + condition: all of selection_* +falsepositives: + - Vulnerability scanners +level: medium diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml From b77a3fa9c32d4f3a63ee76523cdb3c7e75a50e84 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:27:18 +0100 Subject: [PATCH 13/28] Fix Further FPs Found In Testing (#4564) remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570 --- README.md | 2 +- .../proc_creation_win_lolbin_findstr.yml | 4 +- .../proc_creation_win_wuauclt_execution.yml | 4 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 ++++++++++++++ ..._defender_exclusions_registry_modified.yml | 30 +++++++++ ...ndows_defender_exclusions_write_access.yml | 35 ++++++++++ ...ows_defender_exclusions_write_deleted.yml} | 24 +++---- ...emote_thread_win_uncommon_source_image.yml | 17 +++-- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 ------------- .../file_rename_win_ransomware.yml | 37 ++++++----- ...nection_win_wuauclt_network_connection.yml | 64 +++++++++++++++---- .../proc_creation_win_findstr_download.yml | 43 +++++++++++++ ...roc_creation_win_findstr_gpp_passwords.yml | 10 ++- .../proc_creation_win_findstr_lnk.yml | 10 ++- .../proc_creation_win_findstr_lsass.yml | 10 ++- ...oc_creation_win_findstr_recon_everyone.yml | 11 +++- ...creation_win_findstr_recon_pipe_output.yml | 22 ++++++- ...on_win_findstr_security_keyword_lookup.yml | 9 ++- ..._creation_win_findstr_subfolder_search.yml | 41 ++++++++++++ ..._sysmon_discovery_via_default_altitude.yml | 10 ++- ..._creation_win_renamed_office_processes.yml | 15 ++++- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +++- ..._win_userinit_uncommon_child_processes.yml | 19 ++++-- ...proc_creation_win_wuauclt_dll_loading.yml} | 25 +++++--- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 ++- 27 files changed, 435 insertions(+), 138 deletions(-) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_lolbin_findstr.yml (97%) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_wuauclt_execution.yml (95%) create mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml rename rules/windows/builtin/security/{win_security_defender_bypass.yml => win_security_windows_defender_exclusions_write_deleted.yml} (54%) delete mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_wuauclt.yml => proc_creation_win_wuauclt_dll_loading.yml} (57%) diff --git a/README.md b/README.md index 1340019750e..2b1a586e465 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/deprecated/windows/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml rename to deprecated/windows/proc_creation_win_lolbin_findstr.yml index e67e3bece5a..b6f955121c5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/deprecated/windows/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test +status: deprecated description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/11 +modified: 2022/10/12 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml b/deprecated/windows/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml rename to deprecated/windows/proc_creation_win_wuauclt_execution.yml index 7d0c45e9291..2b053596d63 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml +++ b/deprecated/windows/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: test +status: deprecated description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.command_and_control - attack.execution diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml new file mode 100644 index 00000000000..1f663fc292c --- /dev/null +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -0,0 +1,47 @@ +title: Non-DLL Extension File Renamed With DLL Extension +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: | + Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1036.008 + - detection.threat_hunting +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + selection: + TargetFilename|endswith: '.dll' + filter_main_dll: + # Note: To avoid file renames + SourceFilename|endswith: '.dll' + filter_main_installers: + SourceFilename|endswith: '.tmp' + filter_main_empty_source: + SourceFilename: '' + filter_main_null_source: + SourceFilename: null + filter_main_tiworker: + Image|contains: ':\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_main_upgrade: + - Image|endswith: ':\Windows\System32\wuauclt.exe' + - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' + filter_main_generic: + Image|contains: + - ':\Program Files (x86)\' + - ':\Program Files\' + filter_optional_squirrel: + SourceFilename|contains: '\SquirrelTemp\temp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely from installers and temporary locations +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml new file mode 100644 index 00000000000..7d4de724c2e --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -0,0 +1,30 @@ +title: Windows Defender Exclusion List Modified +id: 46a68649-f218-4f86-aea1-16a759d81820 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + EventID: 4657 # A registry value was modified. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Intended exclusions by administrators +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml new file mode 100644 index 00000000000..b7dfbafedf0 --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -0,0 +1,35 @@ +title: Windows Defender Exclusion Reigstry Key - Write Access Requested +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +related: + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + AccessList|contains: + - '%%4417' # WriteData + - '%%4418' # AppendData + EventID: + - 4656 # A handle to an object was requested. + - 4663 # An attempt was made to access an object. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_defender_bypass.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml similarity index 54% rename from rules/windows/builtin/security/win_security_defender_bypass.yml rename to rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index a975119eda6..b207c81b499 100644 --- a/rules/windows/builtin/security/win_security_defender_bypass.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -1,12 +1,18 @@ -title: Windows Defender Exclusion Set -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +title: Windows Defender Exclusion Deleted +id: a33f8808-2812-4373-ae95-8cfb82134978 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived status: test -description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender +description: | + Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2021/11/27 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,13 +22,9 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 + EventID: 4660 # An object was deleted. ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Intended inclusions by administrator -level: high + - Unknown +level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 321e57290f2..af4ed0f32c8 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/09/06 +modified: 2023/11/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS + - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' - TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,10 +84,19 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Windows\System32\mmc.exe' - - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_main_system: TargetImage: 'System' + filter_main_msiexec: + # Note: MSI installers will trigger this + SourceImage|endswith: '\msiexec.exe' + TargetImage|contains: + - '\AppData\Local\' + - ':\Program Files (x86)\' + - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 9e973c66e76..02eedbdff08 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' + TargetFilename|contains: ':\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\system32\dllhost.exe' + Image|endswith: + - ':\Windows\explorer.exe' + - ':\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml deleted file mode 100644 index 23de6de3334..00000000000 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Rename Common File to DLL File -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: test -description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/01/02 -tags: - - attack.defense_evasion - - attack.t1036.008 -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - to_dll: - TargetFilename|endswith: '.dll' - filter_from_dll: - - SourceFilename|endswith: - - '.dll' - - '.tmp' # VSCode FP - - SourceFilename|contains: - - '.dll.' - - '\SquirrelTemp\temp' - filter_empty_source: - SourceFilename: '' - filter_non_existing_source: - SourceFilename: null - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_upgrade: - - Image: 'C:\Windows\System32\wuauclt.exe' - - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' - filter_program_files: - Image|startswith: - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - condition: to_dll and not 1 of filter* -falsepositives: - - Application installation -level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index f0cca6f2cf3..b1b6e9a28dc 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/01/02 +modified: 2023/11/11 tags: - attack.impact - attack.t1486 @@ -18,35 +18,40 @@ logsource: detection: selection: SourceFilename|endswith: - - '.lnk' - - '.rtf' - - '.pst' + - '.doc' - '.docx' - - '.xlsx' - - '.jpg' - '.jpeg' - - '.png' + - '.jpg' + - '.lnk' - '.pdf' + - '.png' + - '.pst' + - '.rtf' + - '.xls' + - '.xlsx' TargetFilename|contains: - - '.lnk.' - - '.rtf.' - - '.pst.' + - '.doc.' - '.docx.' - - '.xlsx.' - - '.jpg.' - '.jpeg.' - - '.png.' + - '.jpg.' + - '.lnk.' - '.pdf.' + - '.png.' + - '.pst.' + - '.rtf.' + - '.xls.' + - '.xlsx.' filter_main_generic: TargetFilename|endswith: - - '.tmp' + # Note: Please add more used extensions by backup or recovery software + - '.backup' - '.bak' - '.old' - '.orig' - - '.backup' - '.temp' + - '.tmp' filter_optional_anaconda: - TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|contains: ':\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index c9771233ef2..f79a6af8531 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,27 +1,58 @@ -title: Wuauclt Network Connection +title: Potentially Suspicious Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/01/20 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows + definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' + CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_msrange: # Sysmon + filter_main_ipv4: + DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml + - '10.' + - '127.' + - '169.254.' # link-local address + - '172.16' + - '172.17' + - '172.18' + - '172.19' + - '172.20' + - '172.21' + - '172.22' + - '172.23' + - '172.24' + - '172.25' + - '172.26' + - '172.27' + - '172.28' + - '172.29' + - '172.30' + - '172.31' + - '192.168' + filter_main_ipv6: DestinationIp|startswith: - # Subnet: 20.184.0.0/13 + - '::1' + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_main_msrange: # Sysmon + DestinationIp|startswith: + # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others - '20.184.' - '20.185.' - '20.186.' @@ -30,16 +61,27 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '20.220.' + - '20.221.' - '23.79.' - '51.10.' - # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_cmdline: - CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection and not 1 of filter_* + filter_main_uus: + CommandLine|contains: + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs|all: + CommandLine|contains: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + filter_main_cli_null: + CommandLine: null + filter_main_cli_empty: + CommandLine: '' + condition: selection and not 1 of filter_main_* falsepositives: - - Legitimate use of wuauclt.exe over the network. + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml new file mode 100644 index 00000000000..cef27141ca2 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -0,0 +1,43 @@ +title: Remote File Download Via Findstr.EXE +id: 587254ee-a24b-4335-b3cd-065c0f1f4baa +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - ' /v ' + - ' -v ' + selection_cli_download_2: + CommandLine|contains: + - ' /l ' + - ' -l ' + selection_cli_download_3: + CommandLine|contains: '\\\\' + condition: selection_findstr and all of selection_cli_download_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 2c5d81cd8fb..0da44623449 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index 9618ac0a69c..a37c9d8bf24 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -17,8 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index e9b33ee1f1b..5941a31c969 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/07/13 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95cf..3285947e8e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/03/05 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -28,6 +32,7 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 8cf7a5f6aac..1d30a9c23be 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/10/20 +modified: 2023/11/11 tags: - attack.discovery - attack.t1057 @@ -23,25 +23,45 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' + - 'ipconfig | find ' - 'ipconfig | findstr ' + - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' + - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' + - 'net start | find' - 'net start | findstr' + - 'net.exe start | find' - 'net.exe start | findstr' + - 'net1 start | find' - 'net1 start | findstr' + - 'net1.exe start | find' - 'net1.exe start | findstr' + - 'netstat -ano | find' - 'netstat -ano | findstr' + - 'netstat | find' - 'netstat | findstr' + - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' + - 'netstat.exe | find' - 'netstat.exe | findstr' + - 'ping | find' - 'ping | findstr' + - 'ping.exe | find' - 'ping.exe | findstr' + - 'systeminfo | find ' - 'systeminfo | findstr ' + - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' + - 'tasklist | find ' - 'tasklist | findstr ' + - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' + - 'whoami /all | find ' - 'whoami /all | findstr ' + - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index dcecd4f14cc..d4656b0d2fc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,6 +13,7 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -21,8 +22,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml new file mode 100644 index 00000000000..5a6705ab7ee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -0,0 +1,41 @@ +title: Insensitive Subfolder Search Via Findstr.EXE +id: 04936b66-3915-43ad-a8e5-809eadfd1141 +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_search_subfolder: + CommandLine|contains: + - ' /s ' + - ' -s ' + selection_cli_search_insensitive: + CommandLine|contains: + - ' /i ' + - ' -i ' + condition: selection_findstr and all of selection_cli_search_* +falsepositives: + - Administrative or software activity +level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 08cccff9a4b..6ee265561e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/03/06 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index b34fa108768..4189681c7e0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,6 +6,7 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 +modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -16,23 +17,33 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' + - 'MSPUB.EXE' - 'OneNote.exe' + - 'OneNoteM.exe' + - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' + - 'Microsoft Outlook' - 'Microsoft PowerPoint' + - 'Microsoft Publisher' - 'Microsoft Word' - filter: + - 'Sent to OneNote Tool' + filter_main_legit_names: Image|endswith: - '\EXCEL.exe' + - '\excelcnv.exe' - '\MSACCESS.exe' + - '\MSPUB.EXE' - '\ONENOTE.EXE' + - '\ONENOTEM.EXE' + - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index a325b4f30a8..fe5e51754bd 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/10/17 +modified: 2023/11/11 tags: - attack.persistence - attack.privilege_escalation @@ -33,6 +33,10 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' + filter_main_null: + CommandLine: null + filter_main_empty: + CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 5130e4700d3..96b133b7eab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/10 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,8 +45,16 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - ParentImage|endswith: '\setup.exe' - condition: 1 of selection_* and not 1 of filter_main_* + filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Google\Chrome\Application\' + ParentImage|endswith: '\Installer\setup.exe' + ParentCommandLine|contains: '--uninstall --channel=stable' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' + condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index d55f1e293fe..3e349b6f661 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/06/21 +modified: 2023/11/14 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image: 'C:\WINDOWS\explorer.exe' + Image|endswith: ':\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,11 +31,18 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image: - - 'C:\Windows\System32\proquota.exe' - - 'C:\Windows\SysWOW64\proquota.exe' + Image|endswith: + - ':\Windows\System32\proquota.exe' + - ':\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: '\Citrix\System32\icast.exe' + Image|endswith: + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\System32\icast.exe' + - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index e5780d68d2e..712d72f91e6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,4 +1,4 @@ -title: Proxy Execution via Wuauclt +title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/02/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 @@ -27,13 +27,22 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' - - '.dll' - 'RunHandlerComServer' - filter: + filter_main_generic: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + filter_main_wuaueng: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' + filter_main_uus: CommandLine|contains: - - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - - ' wuaueng.dll ' - condition: all of selection_* and not filter + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs: + CommandLine|contains|all: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 202121360c6..8f29a67ea07 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,12 +1,13 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -18,7 +19,9 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: '\Wuauclt.exe' + CommandLine|endswith: + - 'Wuauclt' + - 'Wuauclt.exe' condition: all of selection* falsepositives: - Unknown From 29676758841b390fae7bdc080d75c7e713f82f84 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:59:17 +0100 Subject: [PATCH 14/28] Revert "Fix Further FPs Found In Testing (#4564)" This reverts commit b77a3fa9c32d4f3a63ee76523cdb3c7e75a50e84. --- README.md | 2 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 -------------- ...d.yml => win_security_defender_bypass.yml} | 24 ++++--- ..._defender_exclusions_registry_modified.yml | 30 --------- ...ndows_defender_exclusions_write_access.yml | 35 ---------- ...emote_thread_win_uncommon_source_image.yml | 17 ++--- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 +++++++++++++ .../file_rename_win_ransomware.yml | 37 +++++------ ...nection_win_wuauclt_network_connection.yml | 64 ++++--------------- .../proc_creation_win_findstr_download.yml | 43 ------------- ...roc_creation_win_findstr_gpp_passwords.yml | 10 +-- .../proc_creation_win_findstr_lnk.yml | 10 +-- .../proc_creation_win_findstr_lsass.yml | 10 +-- ...oc_creation_win_findstr_recon_everyone.yml | 11 +--- ...creation_win_findstr_recon_pipe_output.yml | 22 +------ ...on_win_findstr_security_keyword_lookup.yml | 9 +-- ..._creation_win_findstr_subfolder_search.yml | 41 ------------ ..._sysmon_discovery_via_default_altitude.yml | 10 +-- .../proc_creation_win_lolbin_findstr.yml | 4 +- ...l => proc_creation_win_lolbin_wuauclt.yml} | 25 +++----- ..._creation_win_renamed_office_processes.yml | 15 +---- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +--- ..._win_userinit_uncommon_child_processes.yml | 19 ++---- .../proc_creation_win_wuauclt_execution.yml | 4 +- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 +-- 27 files changed, 138 insertions(+), 435 deletions(-) delete mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml rename rules/windows/builtin/security/{win_security_windows_defender_exclusions_write_deleted.yml => win_security_defender_bypass.yml} (54%) delete mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml delete mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml create mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename {deprecated/windows => rules/windows/process_creation}/proc_creation_win_lolbin_findstr.yml (97%) rename rules/windows/process_creation/{proc_creation_win_wuauclt_dll_loading.yml => proc_creation_win_lolbin_wuauclt.yml} (57%) rename {deprecated/windows => rules/windows/process_creation}/proc_creation_win_wuauclt_execution.yml (95%) diff --git a/README.md b/README.md index 2b1a586e465..1340019750e 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml deleted file mode 100644 index 1f663fc292c..00000000000 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ /dev/null @@ -1,47 +0,0 @@ -title: Non-DLL Extension File Renamed With DLL Extension -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental -description: | - Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1036.008 - - detection.threat_hunting -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - selection: - TargetFilename|endswith: '.dll' - filter_main_dll: - # Note: To avoid file renames - SourceFilename|endswith: '.dll' - filter_main_installers: - SourceFilename|endswith: '.tmp' - filter_main_empty_source: - SourceFilename: '' - filter_main_null_source: - SourceFilename: null - filter_main_tiworker: - Image|contains: ':\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_main_upgrade: - - Image|endswith: ':\Windows\System32\wuauclt.exe' - - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' - filter_main_generic: - Image|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - filter_optional_squirrel: - SourceFilename|contains: '\SquirrelTemp\temp' - condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* -falsepositives: - - Likely from installers and temporary locations -level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml b/rules/windows/builtin/security/win_security_defender_bypass.yml similarity index 54% rename from rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml rename to rules/windows/builtin/security/win_security_defender_bypass.yml index b207c81b499..a975119eda6 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml +++ b/rules/windows/builtin/security/win_security_defender_bypass.yml @@ -1,18 +1,12 @@ -title: Windows Defender Exclusion Deleted -id: a33f8808-2812-4373-ae95-8cfb82134978 -related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived +title: Windows Defender Exclusion Set +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d status: test -description: | - Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions +description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2023/11/11 +modified: 2021/11/27 tags: - attack.defense_evasion - attack.t1562.001 @@ -22,9 +16,13 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: 4660 # An object was deleted. + EventID: + - 4657 + - 4656 + - 4660 + - 4663 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Unknown -level: medium + - Intended inclusions by administrator +level: high diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml deleted file mode 100644 index 7d4de724c2e..00000000000 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Windows Defender Exclusion List Modified -id: 46a68649-f218-4f86-aea1-16a759d81820 -related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived -status: test -description: | - Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' -detection: - selection: - EventID: 4657 # A registry value was modified. - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection -falsepositives: - - Intended exclusions by administrators -level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml deleted file mode 100644 index b7dfbafedf0..00000000000 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Windows Defender Exclusion Reigstry Key - Write Access Requested -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d -related: - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived -status: test -description: | - Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' -date: 2019/10/26 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' -detection: - selection: - AccessList|contains: - - '%%4417' # WriteData - - '%%4418' # AppendData - EventID: - - 4656 # A handle to an object was requested. - - 4663 # An attempt was made to access an object. - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index af4ed0f32c8..321e57290f2 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/11/11 +modified: 2023/09/06 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS - - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' + TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,19 +84,10 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' + - ':\Windows\System32\mmc.exe' + - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' filter_main_system: TargetImage: 'System' - filter_main_msiexec: - # Note: MSI installers will trigger this - SourceImage|endswith: '\msiexec.exe' - TargetImage|contains: - - '\AppData\Local\' - - ':\Program Files (x86)\' - - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 02eedbdff08..9e973c66e76 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|contains: ':\Windows\System32\winevt\Logs\' + TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image|endswith: - - ':\Windows\explorer.exe' - - ':\Windows\system32\dllhost.exe' + Image: + - 'C:\Windows\explorer.exe' + - 'C:\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml new file mode 100644 index 00000000000..23de6de3334 --- /dev/null +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -0,0 +1,45 @@ +title: Rename Common File to DLL File +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: test +description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/01/02 +tags: + - attack.defense_evasion + - attack.t1036.008 +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + to_dll: + TargetFilename|endswith: '.dll' + filter_from_dll: + - SourceFilename|endswith: + - '.dll' + - '.tmp' # VSCode FP + - SourceFilename|contains: + - '.dll.' + - '\SquirrelTemp\temp' + filter_empty_source: + SourceFilename: '' + filter_non_existing_source: + SourceFilename: null + filter_tiworker: + Image|startswith: 'C:\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_upgrade: + - Image: 'C:\Windows\System32\wuauclt.exe' + - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' + filter_program_files: + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + condition: to_dll and not 1 of filter* +falsepositives: + - Application installation +level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index b1b6e9a28dc..f0cca6f2cf3 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/11/11 +modified: 2023/01/02 tags: - attack.impact - attack.t1486 @@ -18,40 +18,35 @@ logsource: detection: selection: SourceFilename|endswith: - - '.doc' - - '.docx' - - '.jpeg' - - '.jpg' - '.lnk' - - '.pdf' - - '.png' - - '.pst' - '.rtf' - - '.xls' + - '.pst' + - '.docx' - '.xlsx' + - '.jpg' + - '.jpeg' + - '.png' + - '.pdf' TargetFilename|contains: - - '.doc.' - - '.docx.' - - '.jpeg.' - - '.jpg.' - '.lnk.' - - '.pdf.' - - '.png.' - - '.pst.' - '.rtf.' - - '.xls.' + - '.pst.' + - '.docx.' - '.xlsx.' + - '.jpg.' + - '.jpeg.' + - '.png.' + - '.pdf.' filter_main_generic: TargetFilename|endswith: - # Note: Please add more used extensions by backup or recovery software - - '.backup' + - '.tmp' - '.bak' - '.old' - '.orig' + - '.backup' - '.temp' - - '.tmp' filter_optional_anaconda: - TargetFilename|contains: ':\ProgramData\Anaconda3\' + TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index f79a6af8531..c9771233ef2 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,58 +1,27 @@ -title: Potentially Suspicious Wuauclt Network Connection +title: Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/11/11 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows - definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' - CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_main_ipv4: - DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml - - '10.' - - '127.' - - '169.254.' # link-local address - - '172.16' - - '172.17' - - '172.18' - - '172.19' - - '172.20' - - '172.21' - - '172.22' - - '172.23' - - '172.24' - - '172.25' - - '172.26' - - '172.27' - - '172.28' - - '172.29' - - '172.30' - - '172.31' - - '192.168' - filter_main_ipv6: + filter_msrange: # Sysmon DestinationIp|startswith: - - '::1' - - '0:0:0:0:0:0:0:1' # IPv6 loopback variant - - 'fe80:' # link-local address - - 'fc' # private address range fc00::/7 - - 'fd' # private address range fc00::/7 - filter_main_msrange: # Sysmon - DestinationIp|startswith: - # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others + # Subnet: 20.184.0.0/13 - '20.184.' - '20.185.' - '20.186.' @@ -61,27 +30,16 @@ detection: - '20.189.' - '20.190.' - '20.191.' - - '20.220.' - - '20.221.' - '23.79.' - '51.10.' + # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_main_uus: - CommandLine|contains: - - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' - - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' - filter_main_winsxs|all: - CommandLine|contains: - - ':\Windows\WinSxS\' - - '\UpdateDeploy.dll /ClassId ' - filter_main_cli_null: - CommandLine: null - filter_main_cli_empty: - CommandLine: '' - condition: selection and not 1 of filter_main_* + filter_cmdline: + CommandLine|contains: '\UpdateDeploy.dll /ClassId ' + condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Legitimate use of wuauclt.exe over the network. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml deleted file mode 100644 index cef27141ca2..00000000000 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: Remote File Download Via Findstr.EXE -id: 587254ee-a24b-4335-b3cd-065c0f1f4baa -related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes -status: experimental -description: | - Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/11/12 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1564.004 - - attack.t1552.001 - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_cli_download_1: - CommandLine|contains: - - ' /v ' - - ' -v ' - selection_cli_download_2: - CommandLine|contains: - - ' /l ' - - ' -l ' - selection_cli_download_3: - CommandLine|contains: '\\\\' - condition: selection_findstr and all of selection_cli_download_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 0da44623449..2c5d81cd8fb 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/11/11 +modified: 2023/03/06 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index a37c9d8bf24..9618ac0a69c 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/11/11 +modified: 2023/03/06 tags: - attack.defense_evasion - attack.t1036 @@ -17,12 +17,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 5941a31c969..e9b33ee1f1b 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/11/11 +modified: 2023/07/13 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 3285947e8e9..859caea95cf 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/11/11 +modified: 2023/03/05 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -32,7 +28,6 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" - # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 1d30a9c23be..8cf7a5f6aac 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/11/11 +modified: 2023/10/20 tags: - attack.discovery - attack.t1057 @@ -23,45 +23,25 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage - - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' - - 'ipconfig | find ' - 'ipconfig | findstr ' - - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' - - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' - - 'net start | find' - 'net start | findstr' - - 'net.exe start | find' - 'net.exe start | findstr' - - 'net1 start | find' - 'net1 start | findstr' - - 'net1.exe start | find' - 'net1.exe start | findstr' - - 'netstat -ano | find' - 'netstat -ano | findstr' - - 'netstat | find' - 'netstat | findstr' - - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' - - 'netstat.exe | find' - 'netstat.exe | findstr' - - 'ping | find' - 'ping | findstr' - - 'ping.exe | find' - 'ping.exe | findstr' - - 'systeminfo | find ' - 'systeminfo | findstr ' - - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' - - 'tasklist | find ' - 'tasklist | findstr ' - - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' - - 'whoami /all | find ' - 'whoami /all | findstr ' - - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index d4656b0d2fc..dcecd4f14cc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,7 +13,6 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 -modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -22,12 +21,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml deleted file mode 100644 index 5a6705ab7ee..00000000000 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Insensitive Subfolder Search Via Findstr.EXE -id: 04936b66-3915-43ad-a8e5-809eadfd1141 -related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes -status: experimental -description: | - Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/11/12 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1564.004 - - attack.t1552.001 - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_cli_search_subfolder: - CommandLine|contains: - - ' /s ' - - ' -s ' - selection_cli_search_insensitive: - CommandLine|contains: - - ' /i ' - - ' -i ' - condition: selection_findstr and all of selection_cli_search_* -falsepositives: - - Administrative or software activity -level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 6ee265561e9..08cccff9a4b 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/11/14 +modified: 2023/03/06 tags: - attack.discovery - attack.t1518.001 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/deprecated/windows/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from deprecated/windows/proc_creation_win_lolbin_findstr.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml index b6f955121c5..e67e3bece5a 100644 --- a/deprecated/windows/proc_creation_win_lolbin_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: deprecated +status: test description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/12 +modified: 2022/10/11 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml index 712d72f91e6..e5780d68d2e 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml @@ -1,4 +1,4 @@ -title: Proxy Execution Via Wuauclt.EXE +title: Proxy Execution via Wuauclt id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/11/11 +modified: 2023/02/13 tags: - attack.defense_evasion - attack.t1218 @@ -27,22 +27,13 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' + - '.dll' - 'RunHandlerComServer' - filter_main_generic: - # Note: Please enhance this if you find the full path - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - filter_main_wuaueng: - # Note: Please enhance this if you find the full path - CommandLine|contains: ' wuaueng.dll ' - filter_main_uus: + filter: CommandLine|contains: - - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' - - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' - filter_main_winsxs: - CommandLine|contains|all: - - ':\Windows\WinSxS\' - - '\UpdateDeploy.dll /ClassId ' - condition: all of selection_* and not 1 of filter_main_* + - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + - ' wuaueng.dll ' + condition: all of selection_* and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 4189681c7e0..b34fa108768 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,7 +6,6 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 -modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -17,33 +16,23 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' - - 'MSPUB.EXE' - 'OneNote.exe' - - 'OneNoteM.exe' - - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' - - 'Microsoft Outlook' - 'Microsoft PowerPoint' - - 'Microsoft Publisher' - 'Microsoft Word' - - 'Sent to OneNote Tool' - filter_main_legit_names: + filter: Image|endswith: - '\EXCEL.exe' - - '\excelcnv.exe' - '\MSACCESS.exe' - - '\MSPUB.EXE' - '\ONENOTE.EXE' - - '\ONENOTEM.EXE' - - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not 1 of filter_main_* + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index fe5e51754bd..a325b4f30a8 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/11/11 +modified: 2023/10/17 tags: - attack.persistence - attack.privilege_escalation @@ -33,10 +33,6 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' - filter_main_null: - CommandLine: null - filter_main_empty: - CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 96b133b7eab..5130e4700d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/14 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,16 +45,8 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - filter_optional_chrome_installer: - # As reported in https://github.com/SigmaHQ/sigma/issues/4570 - ParentImage|contains|all: - - ':\Users\' - - '\AppData\Local\Google\Chrome\Application\' - ParentImage|endswith: '\Installer\setup.exe' - ParentCommandLine|contains: '--uninstall --channel=stable' - Image|endswith: '\rundll32.exe' - CommandLine|endswith: 'rundll32.exe' - condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* + ParentImage|endswith: '\setup.exe' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index 3e349b6f661..d55f1e293fe 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/11/14 +modified: 2023/06/21 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image|endswith: ':\WINDOWS\explorer.exe' + Image: 'C:\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,18 +31,11 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image|endswith: - - ':\Windows\System32\proquota.exe' - - ':\Windows\SysWOW64\proquota.exe' + Image: + - 'C:\Windows\System32\proquota.exe' + - 'C:\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: - # As reported by https://github.com/SigmaHQ/sigma/issues/4569 - - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files (x86)\Citrix\System32\icast.exe' - - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files\Citrix\System32\icast.exe' + Image|endswith: '\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/deprecated/windows/proc_creation_win_wuauclt_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from deprecated/windows/proc_creation_win_wuauclt_execution.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml index 2b053596d63..7d0c45e9291 100644 --- a/deprecated/windows/proc_creation_win_wuauclt_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: deprecated +status: test description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2023/11/11 +modified: 2022/05/13 tags: - attack.command_and_control - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 8f29a67ea07..202121360c6 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,13 +1,12 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: | - Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2023/11/11 +modified: 2022/05/13 tags: - attack.defense_evasion - attack.t1036 @@ -19,9 +18,7 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: - - 'Wuauclt' - - 'Wuauclt.exe' + CommandLine|endswith: '\Wuauclt.exe' condition: all of selection* falsepositives: - Unknown From dddd7cd7fb5355e4c2fcde14d11d47187515e275 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:59:42 +0100 Subject: [PATCH 15/28] Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing This reverts commit 29676758841b390fae7bdc080d75c7e713f82f84. --- README.md | 2 +- .../proc_creation_win_lolbin_findstr.yml | 4 +- .../proc_creation_win_wuauclt_execution.yml | 4 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 ++++++++++++++ ..._defender_exclusions_registry_modified.yml | 30 +++++++++ ...ndows_defender_exclusions_write_access.yml | 35 ++++++++++ ...ows_defender_exclusions_write_deleted.yml} | 24 +++---- ...emote_thread_win_uncommon_source_image.yml | 17 +++-- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 ------------- .../file_rename_win_ransomware.yml | 37 ++++++----- ...nection_win_wuauclt_network_connection.yml | 64 +++++++++++++++---- .../proc_creation_win_findstr_download.yml | 43 +++++++++++++ ...roc_creation_win_findstr_gpp_passwords.yml | 10 ++- .../proc_creation_win_findstr_lnk.yml | 10 ++- .../proc_creation_win_findstr_lsass.yml | 10 ++- ...oc_creation_win_findstr_recon_everyone.yml | 11 +++- ...creation_win_findstr_recon_pipe_output.yml | 22 ++++++- ...on_win_findstr_security_keyword_lookup.yml | 9 ++- ..._creation_win_findstr_subfolder_search.yml | 41 ++++++++++++ ..._sysmon_discovery_via_default_altitude.yml | 10 ++- ..._creation_win_renamed_office_processes.yml | 15 ++++- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +++- ..._win_userinit_uncommon_child_processes.yml | 19 ++++-- ...proc_creation_win_wuauclt_dll_loading.yml} | 25 +++++--- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 ++- 27 files changed, 435 insertions(+), 138 deletions(-) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_lolbin_findstr.yml (97%) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_wuauclt_execution.yml (95%) create mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml rename rules/windows/builtin/security/{win_security_defender_bypass.yml => win_security_windows_defender_exclusions_write_deleted.yml} (54%) delete mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_wuauclt.yml => proc_creation_win_wuauclt_dll_loading.yml} (57%) diff --git a/README.md b/README.md index 1340019750e..2b1a586e465 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/deprecated/windows/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml rename to deprecated/windows/proc_creation_win_lolbin_findstr.yml index e67e3bece5a..b6f955121c5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/deprecated/windows/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test +status: deprecated description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/11 +modified: 2022/10/12 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml b/deprecated/windows/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml rename to deprecated/windows/proc_creation_win_wuauclt_execution.yml index 7d0c45e9291..2b053596d63 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml +++ b/deprecated/windows/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: test +status: deprecated description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.command_and_control - attack.execution diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml new file mode 100644 index 00000000000..1f663fc292c --- /dev/null +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -0,0 +1,47 @@ +title: Non-DLL Extension File Renamed With DLL Extension +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: | + Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1036.008 + - detection.threat_hunting +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + selection: + TargetFilename|endswith: '.dll' + filter_main_dll: + # Note: To avoid file renames + SourceFilename|endswith: '.dll' + filter_main_installers: + SourceFilename|endswith: '.tmp' + filter_main_empty_source: + SourceFilename: '' + filter_main_null_source: + SourceFilename: null + filter_main_tiworker: + Image|contains: ':\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_main_upgrade: + - Image|endswith: ':\Windows\System32\wuauclt.exe' + - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' + filter_main_generic: + Image|contains: + - ':\Program Files (x86)\' + - ':\Program Files\' + filter_optional_squirrel: + SourceFilename|contains: '\SquirrelTemp\temp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely from installers and temporary locations +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml new file mode 100644 index 00000000000..7d4de724c2e --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -0,0 +1,30 @@ +title: Windows Defender Exclusion List Modified +id: 46a68649-f218-4f86-aea1-16a759d81820 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + EventID: 4657 # A registry value was modified. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Intended exclusions by administrators +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml new file mode 100644 index 00000000000..b7dfbafedf0 --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -0,0 +1,35 @@ +title: Windows Defender Exclusion Reigstry Key - Write Access Requested +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +related: + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + AccessList|contains: + - '%%4417' # WriteData + - '%%4418' # AppendData + EventID: + - 4656 # A handle to an object was requested. + - 4663 # An attempt was made to access an object. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_defender_bypass.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml similarity index 54% rename from rules/windows/builtin/security/win_security_defender_bypass.yml rename to rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index a975119eda6..b207c81b499 100644 --- a/rules/windows/builtin/security/win_security_defender_bypass.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -1,12 +1,18 @@ -title: Windows Defender Exclusion Set -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +title: Windows Defender Exclusion Deleted +id: a33f8808-2812-4373-ae95-8cfb82134978 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived status: test -description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender +description: | + Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2021/11/27 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,13 +22,9 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 + EventID: 4660 # An object was deleted. ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Intended inclusions by administrator -level: high + - Unknown +level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 321e57290f2..af4ed0f32c8 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/09/06 +modified: 2023/11/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS + - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' - TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,10 +84,19 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Windows\System32\mmc.exe' - - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_main_system: TargetImage: 'System' + filter_main_msiexec: + # Note: MSI installers will trigger this + SourceImage|endswith: '\msiexec.exe' + TargetImage|contains: + - '\AppData\Local\' + - ':\Program Files (x86)\' + - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 9e973c66e76..02eedbdff08 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' + TargetFilename|contains: ':\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\system32\dllhost.exe' + Image|endswith: + - ':\Windows\explorer.exe' + - ':\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml deleted file mode 100644 index 23de6de3334..00000000000 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Rename Common File to DLL File -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: test -description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/01/02 -tags: - - attack.defense_evasion - - attack.t1036.008 -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - to_dll: - TargetFilename|endswith: '.dll' - filter_from_dll: - - SourceFilename|endswith: - - '.dll' - - '.tmp' # VSCode FP - - SourceFilename|contains: - - '.dll.' - - '\SquirrelTemp\temp' - filter_empty_source: - SourceFilename: '' - filter_non_existing_source: - SourceFilename: null - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_upgrade: - - Image: 'C:\Windows\System32\wuauclt.exe' - - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' - filter_program_files: - Image|startswith: - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - condition: to_dll and not 1 of filter* -falsepositives: - - Application installation -level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index f0cca6f2cf3..b1b6e9a28dc 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/01/02 +modified: 2023/11/11 tags: - attack.impact - attack.t1486 @@ -18,35 +18,40 @@ logsource: detection: selection: SourceFilename|endswith: - - '.lnk' - - '.rtf' - - '.pst' + - '.doc' - '.docx' - - '.xlsx' - - '.jpg' - '.jpeg' - - '.png' + - '.jpg' + - '.lnk' - '.pdf' + - '.png' + - '.pst' + - '.rtf' + - '.xls' + - '.xlsx' TargetFilename|contains: - - '.lnk.' - - '.rtf.' - - '.pst.' + - '.doc.' - '.docx.' - - '.xlsx.' - - '.jpg.' - '.jpeg.' - - '.png.' + - '.jpg.' + - '.lnk.' - '.pdf.' + - '.png.' + - '.pst.' + - '.rtf.' + - '.xls.' + - '.xlsx.' filter_main_generic: TargetFilename|endswith: - - '.tmp' + # Note: Please add more used extensions by backup or recovery software + - '.backup' - '.bak' - '.old' - '.orig' - - '.backup' - '.temp' + - '.tmp' filter_optional_anaconda: - TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|contains: ':\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index c9771233ef2..f79a6af8531 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,27 +1,58 @@ -title: Wuauclt Network Connection +title: Potentially Suspicious Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/01/20 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows + definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' + CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_msrange: # Sysmon + filter_main_ipv4: + DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml + - '10.' + - '127.' + - '169.254.' # link-local address + - '172.16' + - '172.17' + - '172.18' + - '172.19' + - '172.20' + - '172.21' + - '172.22' + - '172.23' + - '172.24' + - '172.25' + - '172.26' + - '172.27' + - '172.28' + - '172.29' + - '172.30' + - '172.31' + - '192.168' + filter_main_ipv6: DestinationIp|startswith: - # Subnet: 20.184.0.0/13 + - '::1' + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_main_msrange: # Sysmon + DestinationIp|startswith: + # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others - '20.184.' - '20.185.' - '20.186.' @@ -30,16 +61,27 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '20.220.' + - '20.221.' - '23.79.' - '51.10.' - # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_cmdline: - CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection and not 1 of filter_* + filter_main_uus: + CommandLine|contains: + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs|all: + CommandLine|contains: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + filter_main_cli_null: + CommandLine: null + filter_main_cli_empty: + CommandLine: '' + condition: selection and not 1 of filter_main_* falsepositives: - - Legitimate use of wuauclt.exe over the network. + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml new file mode 100644 index 00000000000..cef27141ca2 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -0,0 +1,43 @@ +title: Remote File Download Via Findstr.EXE +id: 587254ee-a24b-4335-b3cd-065c0f1f4baa +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - ' /v ' + - ' -v ' + selection_cli_download_2: + CommandLine|contains: + - ' /l ' + - ' -l ' + selection_cli_download_3: + CommandLine|contains: '\\\\' + condition: selection_findstr and all of selection_cli_download_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 2c5d81cd8fb..0da44623449 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index 9618ac0a69c..a37c9d8bf24 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -17,8 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index e9b33ee1f1b..5941a31c969 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/07/13 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95cf..3285947e8e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/03/05 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -28,6 +32,7 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 8cf7a5f6aac..1d30a9c23be 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/10/20 +modified: 2023/11/11 tags: - attack.discovery - attack.t1057 @@ -23,25 +23,45 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' + - 'ipconfig | find ' - 'ipconfig | findstr ' + - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' + - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' + - 'net start | find' - 'net start | findstr' + - 'net.exe start | find' - 'net.exe start | findstr' + - 'net1 start | find' - 'net1 start | findstr' + - 'net1.exe start | find' - 'net1.exe start | findstr' + - 'netstat -ano | find' - 'netstat -ano | findstr' + - 'netstat | find' - 'netstat | findstr' + - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' + - 'netstat.exe | find' - 'netstat.exe | findstr' + - 'ping | find' - 'ping | findstr' + - 'ping.exe | find' - 'ping.exe | findstr' + - 'systeminfo | find ' - 'systeminfo | findstr ' + - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' + - 'tasklist | find ' - 'tasklist | findstr ' + - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' + - 'whoami /all | find ' - 'whoami /all | findstr ' + - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index dcecd4f14cc..d4656b0d2fc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,6 +13,7 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -21,8 +22,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml new file mode 100644 index 00000000000..5a6705ab7ee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -0,0 +1,41 @@ +title: Insensitive Subfolder Search Via Findstr.EXE +id: 04936b66-3915-43ad-a8e5-809eadfd1141 +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_search_subfolder: + CommandLine|contains: + - ' /s ' + - ' -s ' + selection_cli_search_insensitive: + CommandLine|contains: + - ' /i ' + - ' -i ' + condition: selection_findstr and all of selection_cli_search_* +falsepositives: + - Administrative or software activity +level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 08cccff9a4b..6ee265561e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/03/06 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index b34fa108768..4189681c7e0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,6 +6,7 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 +modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -16,23 +17,33 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' + - 'MSPUB.EXE' - 'OneNote.exe' + - 'OneNoteM.exe' + - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' + - 'Microsoft Outlook' - 'Microsoft PowerPoint' + - 'Microsoft Publisher' - 'Microsoft Word' - filter: + - 'Sent to OneNote Tool' + filter_main_legit_names: Image|endswith: - '\EXCEL.exe' + - '\excelcnv.exe' - '\MSACCESS.exe' + - '\MSPUB.EXE' - '\ONENOTE.EXE' + - '\ONENOTEM.EXE' + - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index a325b4f30a8..fe5e51754bd 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/10/17 +modified: 2023/11/11 tags: - attack.persistence - attack.privilege_escalation @@ -33,6 +33,10 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' + filter_main_null: + CommandLine: null + filter_main_empty: + CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 5130e4700d3..96b133b7eab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/10 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,8 +45,16 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - ParentImage|endswith: '\setup.exe' - condition: 1 of selection_* and not 1 of filter_main_* + filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Google\Chrome\Application\' + ParentImage|endswith: '\Installer\setup.exe' + ParentCommandLine|contains: '--uninstall --channel=stable' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' + condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index d55f1e293fe..3e349b6f661 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/06/21 +modified: 2023/11/14 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image: 'C:\WINDOWS\explorer.exe' + Image|endswith: ':\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,11 +31,18 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image: - - 'C:\Windows\System32\proquota.exe' - - 'C:\Windows\SysWOW64\proquota.exe' + Image|endswith: + - ':\Windows\System32\proquota.exe' + - ':\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: '\Citrix\System32\icast.exe' + Image|endswith: + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\System32\icast.exe' + - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index e5780d68d2e..712d72f91e6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,4 +1,4 @@ -title: Proxy Execution via Wuauclt +title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/02/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 @@ -27,13 +27,22 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' - - '.dll' - 'RunHandlerComServer' - filter: + filter_main_generic: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + filter_main_wuaueng: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' + filter_main_uus: CommandLine|contains: - - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - - ' wuaueng.dll ' - condition: all of selection_* and not filter + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs: + CommandLine|contains|all: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 202121360c6..8f29a67ea07 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,12 +1,13 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -18,7 +19,9 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: '\Wuauclt.exe' + CommandLine|endswith: + - 'Wuauclt' + - 'Wuauclt.exe' condition: all of selection* falsepositives: - Unknown From 8dbf7b9094aa5197dc733db6bb4c9c8324937bd9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:34:51 +0100 Subject: [PATCH 16/28] Revert "Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing" This reverts commit dddd7cd7fb5355e4c2fcde14d11d47187515e275. --- README.md | 2 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 -------------- ...d.yml => win_security_defender_bypass.yml} | 24 ++++--- ..._defender_exclusions_registry_modified.yml | 30 --------- ...ndows_defender_exclusions_write_access.yml | 35 ---------- ...emote_thread_win_uncommon_source_image.yml | 17 ++--- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 +++++++++++++ .../file_rename_win_ransomware.yml | 37 +++++------ ...nection_win_wuauclt_network_connection.yml | 64 ++++--------------- .../proc_creation_win_findstr_download.yml | 43 ------------- ...roc_creation_win_findstr_gpp_passwords.yml | 10 +-- .../proc_creation_win_findstr_lnk.yml | 10 +-- .../proc_creation_win_findstr_lsass.yml | 10 +-- ...oc_creation_win_findstr_recon_everyone.yml | 11 +--- ...creation_win_findstr_recon_pipe_output.yml | 22 +------ ...on_win_findstr_security_keyword_lookup.yml | 9 +-- ..._creation_win_findstr_subfolder_search.yml | 41 ------------ ..._sysmon_discovery_via_default_altitude.yml | 10 +-- .../proc_creation_win_lolbin_findstr.yml | 4 +- ...l => proc_creation_win_lolbin_wuauclt.yml} | 25 +++----- ..._creation_win_renamed_office_processes.yml | 15 +---- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +--- ..._win_userinit_uncommon_child_processes.yml | 19 ++---- .../proc_creation_win_wuauclt_execution.yml | 4 +- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 +-- 27 files changed, 138 insertions(+), 435 deletions(-) delete mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml rename rules/windows/builtin/security/{win_security_windows_defender_exclusions_write_deleted.yml => win_security_defender_bypass.yml} (54%) delete mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml delete mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml create mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename {deprecated/windows => rules/windows/process_creation}/proc_creation_win_lolbin_findstr.yml (97%) rename rules/windows/process_creation/{proc_creation_win_wuauclt_dll_loading.yml => proc_creation_win_lolbin_wuauclt.yml} (57%) rename {deprecated/windows => rules/windows/process_creation}/proc_creation_win_wuauclt_execution.yml (95%) diff --git a/README.md b/README.md index 2b1a586e465..1340019750e 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml deleted file mode 100644 index 1f663fc292c..00000000000 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ /dev/null @@ -1,47 +0,0 @@ -title: Non-DLL Extension File Renamed With DLL Extension -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental -description: | - Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1036.008 - - detection.threat_hunting -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - selection: - TargetFilename|endswith: '.dll' - filter_main_dll: - # Note: To avoid file renames - SourceFilename|endswith: '.dll' - filter_main_installers: - SourceFilename|endswith: '.tmp' - filter_main_empty_source: - SourceFilename: '' - filter_main_null_source: - SourceFilename: null - filter_main_tiworker: - Image|contains: ':\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_main_upgrade: - - Image|endswith: ':\Windows\System32\wuauclt.exe' - - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' - filter_main_generic: - Image|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - filter_optional_squirrel: - SourceFilename|contains: '\SquirrelTemp\temp' - condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* -falsepositives: - - Likely from installers and temporary locations -level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml b/rules/windows/builtin/security/win_security_defender_bypass.yml similarity index 54% rename from rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml rename to rules/windows/builtin/security/win_security_defender_bypass.yml index b207c81b499..a975119eda6 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml +++ b/rules/windows/builtin/security/win_security_defender_bypass.yml @@ -1,18 +1,12 @@ -title: Windows Defender Exclusion Deleted -id: a33f8808-2812-4373-ae95-8cfb82134978 -related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived +title: Windows Defender Exclusion Set +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d status: test -description: | - Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions +description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2023/11/11 +modified: 2021/11/27 tags: - attack.defense_evasion - attack.t1562.001 @@ -22,9 +16,13 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: 4660 # An object was deleted. + EventID: + - 4657 + - 4656 + - 4660 + - 4663 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Unknown -level: medium + - Intended inclusions by administrator +level: high diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml deleted file mode 100644 index 7d4de724c2e..00000000000 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Windows Defender Exclusion List Modified -id: 46a68649-f218-4f86-aea1-16a759d81820 -related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived -status: test -description: | - Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' -detection: - selection: - EventID: 4657 # A registry value was modified. - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection -falsepositives: - - Intended exclusions by administrators -level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml deleted file mode 100644 index b7dfbafedf0..00000000000 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Windows Defender Exclusion Reigstry Key - Write Access Requested -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d -related: - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived -status: test -description: | - Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' -date: 2019/10/26 -modified: 2023/11/11 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' -detection: - selection: - AccessList|contains: - - '%%4417' # WriteData - - '%%4418' # AppendData - EventID: - - 4656 # A handle to an object was requested. - - 4663 # An attempt was made to access an object. - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index af4ed0f32c8..321e57290f2 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/11/11 +modified: 2023/09/06 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS - - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' + TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,19 +84,10 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' + - ':\Windows\System32\mmc.exe' + - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' filter_main_system: TargetImage: 'System' - filter_main_msiexec: - # Note: MSI installers will trigger this - SourceImage|endswith: '\msiexec.exe' - TargetImage|contains: - - '\AppData\Local\' - - ':\Program Files (x86)\' - - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 02eedbdff08..9e973c66e76 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|contains: ':\Windows\System32\winevt\Logs\' + TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image|endswith: - - ':\Windows\explorer.exe' - - ':\Windows\system32\dllhost.exe' + Image: + - 'C:\Windows\explorer.exe' + - 'C:\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml new file mode 100644 index 00000000000..23de6de3334 --- /dev/null +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -0,0 +1,45 @@ +title: Rename Common File to DLL File +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: test +description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/01/02 +tags: + - attack.defense_evasion + - attack.t1036.008 +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + to_dll: + TargetFilename|endswith: '.dll' + filter_from_dll: + - SourceFilename|endswith: + - '.dll' + - '.tmp' # VSCode FP + - SourceFilename|contains: + - '.dll.' + - '\SquirrelTemp\temp' + filter_empty_source: + SourceFilename: '' + filter_non_existing_source: + SourceFilename: null + filter_tiworker: + Image|startswith: 'C:\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_upgrade: + - Image: 'C:\Windows\System32\wuauclt.exe' + - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' + filter_program_files: + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + condition: to_dll and not 1 of filter* +falsepositives: + - Application installation +level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index b1b6e9a28dc..f0cca6f2cf3 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/11/11 +modified: 2023/01/02 tags: - attack.impact - attack.t1486 @@ -18,40 +18,35 @@ logsource: detection: selection: SourceFilename|endswith: - - '.doc' - - '.docx' - - '.jpeg' - - '.jpg' - '.lnk' - - '.pdf' - - '.png' - - '.pst' - '.rtf' - - '.xls' + - '.pst' + - '.docx' - '.xlsx' + - '.jpg' + - '.jpeg' + - '.png' + - '.pdf' TargetFilename|contains: - - '.doc.' - - '.docx.' - - '.jpeg.' - - '.jpg.' - '.lnk.' - - '.pdf.' - - '.png.' - - '.pst.' - '.rtf.' - - '.xls.' + - '.pst.' + - '.docx.' - '.xlsx.' + - '.jpg.' + - '.jpeg.' + - '.png.' + - '.pdf.' filter_main_generic: TargetFilename|endswith: - # Note: Please add more used extensions by backup or recovery software - - '.backup' + - '.tmp' - '.bak' - '.old' - '.orig' + - '.backup' - '.temp' - - '.tmp' filter_optional_anaconda: - TargetFilename|contains: ':\ProgramData\Anaconda3\' + TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index f79a6af8531..c9771233ef2 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,58 +1,27 @@ -title: Potentially Suspicious Wuauclt Network Connection +title: Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/11/11 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows - definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' - CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_main_ipv4: - DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml - - '10.' - - '127.' - - '169.254.' # link-local address - - '172.16' - - '172.17' - - '172.18' - - '172.19' - - '172.20' - - '172.21' - - '172.22' - - '172.23' - - '172.24' - - '172.25' - - '172.26' - - '172.27' - - '172.28' - - '172.29' - - '172.30' - - '172.31' - - '192.168' - filter_main_ipv6: + filter_msrange: # Sysmon DestinationIp|startswith: - - '::1' - - '0:0:0:0:0:0:0:1' # IPv6 loopback variant - - 'fe80:' # link-local address - - 'fc' # private address range fc00::/7 - - 'fd' # private address range fc00::/7 - filter_main_msrange: # Sysmon - DestinationIp|startswith: - # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others + # Subnet: 20.184.0.0/13 - '20.184.' - '20.185.' - '20.186.' @@ -61,27 +30,16 @@ detection: - '20.189.' - '20.190.' - '20.191.' - - '20.220.' - - '20.221.' - '23.79.' - '51.10.' + # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_main_uus: - CommandLine|contains: - - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' - - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' - filter_main_winsxs|all: - CommandLine|contains: - - ':\Windows\WinSxS\' - - '\UpdateDeploy.dll /ClassId ' - filter_main_cli_null: - CommandLine: null - filter_main_cli_empty: - CommandLine: '' - condition: selection and not 1 of filter_main_* + filter_cmdline: + CommandLine|contains: '\UpdateDeploy.dll /ClassId ' + condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Legitimate use of wuauclt.exe over the network. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml deleted file mode 100644 index cef27141ca2..00000000000 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: Remote File Download Via Findstr.EXE -id: 587254ee-a24b-4335-b3cd-065c0f1f4baa -related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes -status: experimental -description: | - Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/11/12 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1564.004 - - attack.t1552.001 - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_cli_download_1: - CommandLine|contains: - - ' /v ' - - ' -v ' - selection_cli_download_2: - CommandLine|contains: - - ' /l ' - - ' -l ' - selection_cli_download_3: - CommandLine|contains: '\\\\' - condition: selection_findstr and all of selection_cli_download_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 0da44623449..2c5d81cd8fb 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/11/11 +modified: 2023/03/06 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index a37c9d8bf24..9618ac0a69c 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/11/11 +modified: 2023/03/06 tags: - attack.defense_evasion - attack.t1036 @@ -17,12 +17,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 5941a31c969..e9b33ee1f1b 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/11/11 +modified: 2023/07/13 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 3285947e8e9..859caea95cf 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/11/11 +modified: 2023/03/05 tags: - attack.credential_access - attack.t1552.006 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -32,7 +28,6 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" - # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 1d30a9c23be..8cf7a5f6aac 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/11/11 +modified: 2023/10/20 tags: - attack.discovery - attack.t1057 @@ -23,45 +23,25 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage - - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' - - 'ipconfig | find ' - 'ipconfig | findstr ' - - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' - - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' - - 'net start | find' - 'net start | findstr' - - 'net.exe start | find' - 'net.exe start | findstr' - - 'net1 start | find' - 'net1 start | findstr' - - 'net1.exe start | find' - 'net1.exe start | findstr' - - 'netstat -ano | find' - 'netstat -ano | findstr' - - 'netstat | find' - 'netstat | findstr' - - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' - - 'netstat.exe | find' - 'netstat.exe | findstr' - - 'ping | find' - 'ping | findstr' - - 'ping.exe | find' - 'ping.exe | findstr' - - 'systeminfo | find ' - 'systeminfo | findstr ' - - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' - - 'tasklist | find ' - 'tasklist | findstr ' - - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' - - 'whoami /all | find ' - 'whoami /all | findstr ' - - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index d4656b0d2fc..dcecd4f14cc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,7 +13,6 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 -modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -22,12 +21,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml deleted file mode 100644 index 5a6705ab7ee..00000000000 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Insensitive Subfolder Search Via Findstr.EXE -id: 04936b66-3915-43ad-a8e5-809eadfd1141 -related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes -status: experimental -description: | - Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/11/12 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1564.004 - - attack.t1552.001 - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_cli_search_subfolder: - CommandLine|contains: - - ' /s ' - - ' -s ' - selection_cli_search_insensitive: - CommandLine|contains: - - ' /i ' - - ' -i ' - condition: selection_findstr and all of selection_cli_search_* -falsepositives: - - Administrative or software activity -level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 6ee265561e9..08cccff9a4b 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/11/14 +modified: 2023/03/06 tags: - attack.discovery - attack.t1518.001 @@ -15,12 +15,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: - - '\find.exe' - - '\findstr.exe' - - OriginalFileName: - - 'FIND.EXE' - - 'FINDSTR.EXE' + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/deprecated/windows/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from deprecated/windows/proc_creation_win_lolbin_findstr.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml index b6f955121c5..e67e3bece5a 100644 --- a/deprecated/windows/proc_creation_win_lolbin_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: deprecated +status: test description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/12 +modified: 2022/10/11 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml index 712d72f91e6..e5780d68d2e 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml @@ -1,4 +1,4 @@ -title: Proxy Execution Via Wuauclt.EXE +title: Proxy Execution via Wuauclt id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/11/11 +modified: 2023/02/13 tags: - attack.defense_evasion - attack.t1218 @@ -27,22 +27,13 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' + - '.dll' - 'RunHandlerComServer' - filter_main_generic: - # Note: Please enhance this if you find the full path - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - filter_main_wuaueng: - # Note: Please enhance this if you find the full path - CommandLine|contains: ' wuaueng.dll ' - filter_main_uus: + filter: CommandLine|contains: - - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' - - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' - filter_main_winsxs: - CommandLine|contains|all: - - ':\Windows\WinSxS\' - - '\UpdateDeploy.dll /ClassId ' - condition: all of selection_* and not 1 of filter_main_* + - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + - ' wuaueng.dll ' + condition: all of selection_* and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 4189681c7e0..b34fa108768 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,7 +6,6 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 -modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -17,33 +16,23 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' - - 'MSPUB.EXE' - 'OneNote.exe' - - 'OneNoteM.exe' - - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' - - 'Microsoft Outlook' - 'Microsoft PowerPoint' - - 'Microsoft Publisher' - 'Microsoft Word' - - 'Sent to OneNote Tool' - filter_main_legit_names: + filter: Image|endswith: - '\EXCEL.exe' - - '\excelcnv.exe' - '\MSACCESS.exe' - - '\MSPUB.EXE' - '\ONENOTE.EXE' - - '\ONENOTEM.EXE' - - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not 1 of filter_main_* + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index fe5e51754bd..a325b4f30a8 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/11/11 +modified: 2023/10/17 tags: - attack.persistence - attack.privilege_escalation @@ -33,10 +33,6 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' - filter_main_null: - CommandLine: null - filter_main_empty: - CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 96b133b7eab..5130e4700d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/14 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,16 +45,8 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - filter_optional_chrome_installer: - # As reported in https://github.com/SigmaHQ/sigma/issues/4570 - ParentImage|contains|all: - - ':\Users\' - - '\AppData\Local\Google\Chrome\Application\' - ParentImage|endswith: '\Installer\setup.exe' - ParentCommandLine|contains: '--uninstall --channel=stable' - Image|endswith: '\rundll32.exe' - CommandLine|endswith: 'rundll32.exe' - condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* + ParentImage|endswith: '\setup.exe' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index 3e349b6f661..d55f1e293fe 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/11/14 +modified: 2023/06/21 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image|endswith: ':\WINDOWS\explorer.exe' + Image: 'C:\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,18 +31,11 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image|endswith: - - ':\Windows\System32\proquota.exe' - - ':\Windows\SysWOW64\proquota.exe' + Image: + - 'C:\Windows\System32\proquota.exe' + - 'C:\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: - # As reported by https://github.com/SigmaHQ/sigma/issues/4569 - - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files (x86)\Citrix\System32\icast.exe' - - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - - ':\Program Files\Citrix\System32\icast.exe' + Image|endswith: '\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/deprecated/windows/proc_creation_win_wuauclt_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from deprecated/windows/proc_creation_win_wuauclt_execution.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml index 2b053596d63..7d0c45e9291 100644 --- a/deprecated/windows/proc_creation_win_wuauclt_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: deprecated +status: test description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2023/11/11 +modified: 2022/05/13 tags: - attack.command_and_control - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 8f29a67ea07..202121360c6 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,13 +1,12 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: | - Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2023/11/11 +modified: 2022/05/13 tags: - attack.defense_evasion - attack.t1036 @@ -19,9 +18,7 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: - - 'Wuauclt' - - 'Wuauclt.exe' + CommandLine|endswith: '\Wuauclt.exe' condition: all of selection* falsepositives: - Unknown From c125ae7e7d3b28805636fb3e36143b2a2e980bbf Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:35:43 +0100 Subject: [PATCH 17/28] Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570 --- README.md | 2 +- .../proc_creation_win_lolbin_findstr.yml | 4 +- .../proc_creation_win_wuauclt_execution.yml | 4 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 ++++++++++++++ ..._defender_exclusions_registry_modified.yml | 30 +++++++++ ...ndows_defender_exclusions_write_access.yml | 35 ++++++++++ ...ows_defender_exclusions_write_deleted.yml} | 24 +++---- ...emote_thread_win_uncommon_source_image.yml | 17 +++-- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 ------------- .../file_rename_win_ransomware.yml | 37 ++++++----- ...nection_win_wuauclt_network_connection.yml | 64 +++++++++++++++---- .../proc_creation_win_findstr_download.yml | 43 +++++++++++++ ...roc_creation_win_findstr_gpp_passwords.yml | 10 ++- .../proc_creation_win_findstr_lnk.yml | 10 ++- .../proc_creation_win_findstr_lsass.yml | 10 ++- ...oc_creation_win_findstr_recon_everyone.yml | 11 +++- ...creation_win_findstr_recon_pipe_output.yml | 22 ++++++- ...on_win_findstr_security_keyword_lookup.yml | 9 ++- ..._creation_win_findstr_subfolder_search.yml | 41 ++++++++++++ ..._sysmon_discovery_via_default_altitude.yml | 10 ++- ..._creation_win_renamed_office_processes.yml | 15 ++++- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +++- ..._win_userinit_uncommon_child_processes.yml | 19 ++++-- ...proc_creation_win_wuauclt_dll_loading.yml} | 25 +++++--- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 ++- 27 files changed, 435 insertions(+), 138 deletions(-) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_lolbin_findstr.yml (97%) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_wuauclt_execution.yml (95%) create mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml rename rules/windows/builtin/security/{win_security_defender_bypass.yml => win_security_windows_defender_exclusions_write_deleted.yml} (54%) delete mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_wuauclt.yml => proc_creation_win_wuauclt_dll_loading.yml} (57%) diff --git a/README.md b/README.md index 1340019750e..2b1a586e465 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/deprecated/windows/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml rename to deprecated/windows/proc_creation_win_lolbin_findstr.yml index e67e3bece5a..b6f955121c5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/deprecated/windows/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test +status: deprecated description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/11 +modified: 2022/10/12 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml b/deprecated/windows/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml rename to deprecated/windows/proc_creation_win_wuauclt_execution.yml index 7d0c45e9291..2b053596d63 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml +++ b/deprecated/windows/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: test +status: deprecated description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.command_and_control - attack.execution diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml new file mode 100644 index 00000000000..1f663fc292c --- /dev/null +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -0,0 +1,47 @@ +title: Non-DLL Extension File Renamed With DLL Extension +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: | + Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1036.008 + - detection.threat_hunting +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + selection: + TargetFilename|endswith: '.dll' + filter_main_dll: + # Note: To avoid file renames + SourceFilename|endswith: '.dll' + filter_main_installers: + SourceFilename|endswith: '.tmp' + filter_main_empty_source: + SourceFilename: '' + filter_main_null_source: + SourceFilename: null + filter_main_tiworker: + Image|contains: ':\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_main_upgrade: + - Image|endswith: ':\Windows\System32\wuauclt.exe' + - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' + filter_main_generic: + Image|contains: + - ':\Program Files (x86)\' + - ':\Program Files\' + filter_optional_squirrel: + SourceFilename|contains: '\SquirrelTemp\temp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely from installers and temporary locations +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml new file mode 100644 index 00000000000..7d4de724c2e --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -0,0 +1,30 @@ +title: Windows Defender Exclusion List Modified +id: 46a68649-f218-4f86-aea1-16a759d81820 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + EventID: 4657 # A registry value was modified. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Intended exclusions by administrators +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml new file mode 100644 index 00000000000..b7dfbafedf0 --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -0,0 +1,35 @@ +title: Windows Defender Exclusion Reigstry Key - Write Access Requested +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +related: + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + AccessList|contains: + - '%%4417' # WriteData + - '%%4418' # AppendData + EventID: + - 4656 # A handle to an object was requested. + - 4663 # An attempt was made to access an object. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_defender_bypass.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml similarity index 54% rename from rules/windows/builtin/security/win_security_defender_bypass.yml rename to rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index a975119eda6..b207c81b499 100644 --- a/rules/windows/builtin/security/win_security_defender_bypass.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -1,12 +1,18 @@ -title: Windows Defender Exclusion Set -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +title: Windows Defender Exclusion Deleted +id: a33f8808-2812-4373-ae95-8cfb82134978 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived status: test -description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender +description: | + Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2021/11/27 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,13 +22,9 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 + EventID: 4660 # An object was deleted. ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Intended inclusions by administrator -level: high + - Unknown +level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 321e57290f2..af4ed0f32c8 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/09/06 +modified: 2023/11/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS + - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' - TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,10 +84,19 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Windows\System32\mmc.exe' - - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_main_system: TargetImage: 'System' + filter_main_msiexec: + # Note: MSI installers will trigger this + SourceImage|endswith: '\msiexec.exe' + TargetImage|contains: + - '\AppData\Local\' + - ':\Program Files (x86)\' + - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 9e973c66e76..02eedbdff08 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' + TargetFilename|contains: ':\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\system32\dllhost.exe' + Image|endswith: + - ':\Windows\explorer.exe' + - ':\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml deleted file mode 100644 index 23de6de3334..00000000000 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Rename Common File to DLL File -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: test -description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/01/02 -tags: - - attack.defense_evasion - - attack.t1036.008 -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - to_dll: - TargetFilename|endswith: '.dll' - filter_from_dll: - - SourceFilename|endswith: - - '.dll' - - '.tmp' # VSCode FP - - SourceFilename|contains: - - '.dll.' - - '\SquirrelTemp\temp' - filter_empty_source: - SourceFilename: '' - filter_non_existing_source: - SourceFilename: null - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_upgrade: - - Image: 'C:\Windows\System32\wuauclt.exe' - - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' - filter_program_files: - Image|startswith: - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - condition: to_dll and not 1 of filter* -falsepositives: - - Application installation -level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index f0cca6f2cf3..b1b6e9a28dc 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/01/02 +modified: 2023/11/11 tags: - attack.impact - attack.t1486 @@ -18,35 +18,40 @@ logsource: detection: selection: SourceFilename|endswith: - - '.lnk' - - '.rtf' - - '.pst' + - '.doc' - '.docx' - - '.xlsx' - - '.jpg' - '.jpeg' - - '.png' + - '.jpg' + - '.lnk' - '.pdf' + - '.png' + - '.pst' + - '.rtf' + - '.xls' + - '.xlsx' TargetFilename|contains: - - '.lnk.' - - '.rtf.' - - '.pst.' + - '.doc.' - '.docx.' - - '.xlsx.' - - '.jpg.' - '.jpeg.' - - '.png.' + - '.jpg.' + - '.lnk.' - '.pdf.' + - '.png.' + - '.pst.' + - '.rtf.' + - '.xls.' + - '.xlsx.' filter_main_generic: TargetFilename|endswith: - - '.tmp' + # Note: Please add more used extensions by backup or recovery software + - '.backup' - '.bak' - '.old' - '.orig' - - '.backup' - '.temp' + - '.tmp' filter_optional_anaconda: - TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|contains: ':\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index c9771233ef2..f79a6af8531 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,27 +1,58 @@ -title: Wuauclt Network Connection +title: Potentially Suspicious Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/01/20 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows + definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' + CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_msrange: # Sysmon + filter_main_ipv4: + DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml + - '10.' + - '127.' + - '169.254.' # link-local address + - '172.16' + - '172.17' + - '172.18' + - '172.19' + - '172.20' + - '172.21' + - '172.22' + - '172.23' + - '172.24' + - '172.25' + - '172.26' + - '172.27' + - '172.28' + - '172.29' + - '172.30' + - '172.31' + - '192.168' + filter_main_ipv6: DestinationIp|startswith: - # Subnet: 20.184.0.0/13 + - '::1' + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_main_msrange: # Sysmon + DestinationIp|startswith: + # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others - '20.184.' - '20.185.' - '20.186.' @@ -30,16 +61,27 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '20.220.' + - '20.221.' - '23.79.' - '51.10.' - # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_cmdline: - CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection and not 1 of filter_* + filter_main_uus: + CommandLine|contains: + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs|all: + CommandLine|contains: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + filter_main_cli_null: + CommandLine: null + filter_main_cli_empty: + CommandLine: '' + condition: selection and not 1 of filter_main_* falsepositives: - - Legitimate use of wuauclt.exe over the network. + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml new file mode 100644 index 00000000000..cef27141ca2 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -0,0 +1,43 @@ +title: Remote File Download Via Findstr.EXE +id: 587254ee-a24b-4335-b3cd-065c0f1f4baa +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - ' /v ' + - ' -v ' + selection_cli_download_2: + CommandLine|contains: + - ' /l ' + - ' -l ' + selection_cli_download_3: + CommandLine|contains: '\\\\' + condition: selection_findstr and all of selection_cli_download_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 2c5d81cd8fb..0da44623449 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index 9618ac0a69c..a37c9d8bf24 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -17,8 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index e9b33ee1f1b..5941a31c969 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/07/13 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95cf..3285947e8e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/03/05 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -28,6 +32,7 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 8cf7a5f6aac..1d30a9c23be 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/10/20 +modified: 2023/11/11 tags: - attack.discovery - attack.t1057 @@ -23,25 +23,45 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' + - 'ipconfig | find ' - 'ipconfig | findstr ' + - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' + - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' + - 'net start | find' - 'net start | findstr' + - 'net.exe start | find' - 'net.exe start | findstr' + - 'net1 start | find' - 'net1 start | findstr' + - 'net1.exe start | find' - 'net1.exe start | findstr' + - 'netstat -ano | find' - 'netstat -ano | findstr' + - 'netstat | find' - 'netstat | findstr' + - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' + - 'netstat.exe | find' - 'netstat.exe | findstr' + - 'ping | find' - 'ping | findstr' + - 'ping.exe | find' - 'ping.exe | findstr' + - 'systeminfo | find ' - 'systeminfo | findstr ' + - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' + - 'tasklist | find ' - 'tasklist | findstr ' + - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' + - 'whoami /all | find ' - 'whoami /all | findstr ' + - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index dcecd4f14cc..d4656b0d2fc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,6 +13,7 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -21,8 +22,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml new file mode 100644 index 00000000000..5a6705ab7ee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -0,0 +1,41 @@ +title: Insensitive Subfolder Search Via Findstr.EXE +id: 04936b66-3915-43ad-a8e5-809eadfd1141 +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_search_subfolder: + CommandLine|contains: + - ' /s ' + - ' -s ' + selection_cli_search_insensitive: + CommandLine|contains: + - ' /i ' + - ' -i ' + condition: selection_findstr and all of selection_cli_search_* +falsepositives: + - Administrative or software activity +level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 08cccff9a4b..6ee265561e9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/03/06 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index b34fa108768..4189681c7e0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,6 +6,7 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 +modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -16,23 +17,33 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' + - 'MSPUB.EXE' - 'OneNote.exe' + - 'OneNoteM.exe' + - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' + - 'Microsoft Outlook' - 'Microsoft PowerPoint' + - 'Microsoft Publisher' - 'Microsoft Word' - filter: + - 'Sent to OneNote Tool' + filter_main_legit_names: Image|endswith: - '\EXCEL.exe' + - '\excelcnv.exe' - '\MSACCESS.exe' + - '\MSPUB.EXE' - '\ONENOTE.EXE' + - '\ONENOTEM.EXE' + - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index a325b4f30a8..fe5e51754bd 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/10/17 +modified: 2023/11/11 tags: - attack.persistence - attack.privilege_escalation @@ -33,6 +33,10 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' + filter_main_null: + CommandLine: null + filter_main_empty: + CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 5130e4700d3..96b133b7eab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/10 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,8 +45,16 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - ParentImage|endswith: '\setup.exe' - condition: 1 of selection_* and not 1 of filter_main_* + filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Google\Chrome\Application\' + ParentImage|endswith: '\Installer\setup.exe' + ParentCommandLine|contains: '--uninstall --channel=stable' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' + condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index d55f1e293fe..3e349b6f661 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/06/21 +modified: 2023/11/14 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image: 'C:\WINDOWS\explorer.exe' + Image|endswith: ':\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,11 +31,18 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image: - - 'C:\Windows\System32\proquota.exe' - - 'C:\Windows\SysWOW64\proquota.exe' + Image|endswith: + - ':\Windows\System32\proquota.exe' + - ':\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: '\Citrix\System32\icast.exe' + Image|endswith: + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\System32\icast.exe' + - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index e5780d68d2e..712d72f91e6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,4 +1,4 @@ -title: Proxy Execution via Wuauclt +title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/02/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 @@ -27,13 +27,22 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' - - '.dll' - 'RunHandlerComServer' - filter: + filter_main_generic: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + filter_main_wuaueng: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' + filter_main_uus: CommandLine|contains: - - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - - ' wuaueng.dll ' - condition: all of selection_* and not filter + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs: + CommandLine|contains|all: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 202121360c6..8f29a67ea07 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,12 +1,13 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -18,7 +19,9 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: '\Wuauclt.exe' + CommandLine|endswith: + - 'Wuauclt' + - 'Wuauclt.exe' condition: all of selection* falsepositives: - Unknown From 0f5f9896040a26da7326337e9261d3b94cb34394 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:54:47 +0100 Subject: [PATCH 18/28] Merge PR #4573 from @nasbench - Update Archived References chore: archive new rule references and update cache file --------- Co-authored-by: nasbench --- .github/latest_archiver_output.md | 180 +++++++++++++----------------- tests/rule-references.txt | 10 ++ 2 files changed, 89 insertions(+), 101 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index d3bf7338ba0..8dadd968f15 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,130 +1,108 @@ # Reference Archiver Results -Last Execution: 2023-11-03 14:11:09 +Last Execution: 2023-11-15 01:55:35 ### Archiver Script Results #### Newly Archived References -N/A +- https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main #### Already Archived References -- https://twitter.com/_JohnHammond/status/1708910264261980634 -- https://github.com/Pennyw0rth/NetExec/ -- https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html -- https://linux.die.net/man/1/wget -- https://github.com/1N3/Sn1per -- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security -- https://github.com/Tib3rius/AutoRecon -- https://github.com/pr0xylife/DarkGate/tree/main -- https://github.com/HavocFramework/Havoc -- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1 -- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf -- https://ipfyx.fr/post/visual-studio-code-tunnel/ -- https://github.com/t3l3machus/hoaxshell -- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md -- https://twitter.com/fr0s7_/status/1712780207105404948 -- https://code.visualstudio.com/docs/remote/tunnels -- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ -- https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection -- https://badoption.eu/blog/2023/01/31/code_c2.html -- https://github.com/t3l3machus/Villain -- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/ -- https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts -- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/ -- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html -- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf -- https://ss64.com/nt/regsvr32.html -- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery -- https://github.com/Ne0nd0g/merlin -- https://github.com/projectdiscovery/naabu -- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 -- https://dataconomy.com/2023/10/23/okta-data-breach/ -- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell -- https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver -- https://github.com/win3zz/CVE-2023-43261 -- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach -- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 -- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware -- https://github.security.telekom.com/2023/08/darkgate-loader.html -- https://vulncheck.com/blog/real-world-cve-2023-43261 -- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z -- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ -- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt +- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +- https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 +- https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 +- https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ +- https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml +- https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication +- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 +- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification #### Error While Archiving References -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://news.ycombinator.com/item?id=29504755 +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 -- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://www.cyberciti.biz/faq/linux-remove-user-command/ - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://linux.die.net/man/8/useradd -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://paper.seebug.org/1495/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://megatools.megous.com/ - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html +- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296 +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://www.sans.org/cyber-security-summit/archives +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44 +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 -- https://linux.die.net/man/1/arecord -- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html -- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://github.com/grayhatkiller/SharpExShell +- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://linux.die.net/man/1/arecord +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.sans.org/cyber-security-summit/archives -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://news.ycombinator.com/item?id=29504755 -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +- https://linux.die.net/man/8/useradd - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://megatools.megous.com/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ +- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e +- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 12d2e2dee7a..cbe0982398b 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3452,3 +3452,13 @@ https://vulncheck.com/blog/real-world-cve-2023-43261 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt +https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 +https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 +https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ +https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml +https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication +https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 +https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main From d57787276151060be4e329f8a76eb7dad6e6bd1f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 15 Nov 2023 16:40:33 +0100 Subject: [PATCH 19/28] Merge PR #4551 from @frack113 - chore: move more tests to pySigma chore: Add attacktag and tlptag to pySigma tests --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .github/workflows/sigma-test.yml | 2 +- .gitmodules | 3 - tests/cti | 1 - tests/sigma_cli_conf.yml | 2 + tests/test_rules.py | 309 ++++++++++++++++--------------- 5 files changed, 164 insertions(+), 153 deletions(-) delete mode 100644 .gitmodules delete mode 160000 tests/cti diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 2c8d0226d03..c50ce6a06e9 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -79,7 +79,7 @@ jobs: sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* - name: Test Sigma Rules run: | - pip install PyYAML attackcti colorama + pip install PyYAML colorama python tests/test_rules.py check-baseline-win7: diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index af5385f2039..00000000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "tests/cti"] - path = tests/cti - url = https://github.com/mitre/cti.git diff --git a/tests/cti b/tests/cti deleted file mode 160000 index 340ee452560..00000000000 --- a/tests/cti +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 340ee452560dcc41c03664637611e529a11bedf2 diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index 6881767ab14..a9d17ca0091 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -1,9 +1,11 @@ validators: + - attacktag - all_of_them_condition - duplicate_tag - duplicate_title - identifier_existence - identifier_uniqueness + - tlptag exclusions: # escaped_wildcard 021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard diff --git a/tests/test_rules.py b/tests/test_rules.py index 50747fab778..d12775d5241 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -11,41 +11,52 @@ import yaml import re import string -from attackcti import attack_client +#from attackcti import attack_client from colorama import init from colorama import Fore import collections +# Old Tests cover by pySigma 0.10.6 and simgma-cli 0.7.8 +# Use sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* +# +# def test_duplicate_tags(self): sigma-cli validators duplicate_tag +# def test_all_of_them_condition(self): sigma-cli validator all_of_them_condition +# def test_missing_id(self): sigma-cli error & validator identifier_existence identifier_uniqueness +# def test_duplicate_titles(self): sigma-cli validators duplicate_title +# def test_unknown_value_modifier(self): sigma-cli error & validator SigmaModifierError +# def test_confirm_correct_mitre_tags(self): sigma-cli validators attacktag +# def test_optional_tlp(self): sigma-cli validators tlptag + class TestRules(unittest.TestCase): - @classmethod - def setUpClass(cls): - print("Calling get_mitre_data()") - # Get Current Data from MITRE ATT&CK® - cls.MITRE_ALL = get_mitre_data() - print("Catched data - starting tests...") - - MITRE_TECHNIQUE_NAMES = [ - "process_injection", - "signed_binary_proxy_execution", - "process_injection", - ] # incomplete list - MITRE_TACTICS = [ - "initial_access", - "execution", - "persistence", - "privilege_escalation", - "defense_evasion", - "credential_access", - "discovery", - "lateral_movement", - "collection", - "exfiltration", - "command_and_control", - "impact", - "launch", - ] - # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules + # @classmethod + # def setUpClass(cls): + # print("Calling get_mitre_data()") + # # Get Current Data from MITRE ATT&CK® + # cls.MITRE_ALL = get_mitre_data() + # print("Catched data - starting tests...") + + # MITRE_TECHNIQUE_NAMES = [ + # "process_injection", + # "signed_binary_proxy_execution", + # "process_injection", + # ] # incomplete list + # MITRE_TACTICS = [ + # "initial_access", + # "execution", + # "persistence", + # "privilege_escalation", + # "defense_evasion", + # "credential_access", + # "discovery", + # "lateral_movement", + # "collection", + # "exfiltration", + # "command_and_control", + # "impact", + # "launch", + # ] + # # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = [ @@ -137,28 +148,29 @@ def test_optional_tags(self): + "There are rules with incorrect/unknown Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://github.com/SigmaHQ/sigma-specification/blob/main/Tags_specification.md ", ) - def test_confirm_correct_mitre_tags(self): - files_with_incorrect_mitre_tags = [] + # sigma-cli validators attacktag + # def test_confirm_correct_mitre_tags(self): + # files_with_incorrect_mitre_tags = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - tags = self.get_rule_part(file_path=file, part_name="tags") - if tags: - for tag in tags: - if tag.startswith("attack.") and tag not in self.MITRE_ALL: - print( - Fore.RED - + "Rule {} has the following incorrect MITRE tag {}".format( - file, tag - ) - ) - files_with_incorrect_mitre_tags.append(file) + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # tags = self.get_rule_part(file_path=file, part_name="tags") + # if tags: + # for tag in tags: + # if tag.startswith("attack.") and tag not in self.MITRE_ALL: + # print( + # Fore.RED + # + "Rule {} has the following incorrect MITRE tag {}".format( + # file, tag + # ) + # ) + # files_with_incorrect_mitre_tags.append(file) - self.assertEqual( - files_with_incorrect_mitre_tags, - [], - Fore.RED - + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ", - ) + # self.assertEqual( + # files_with_incorrect_mitre_tags, + # [], + # Fore.RED + # + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ", + # ) # sigma validators duplicate_tag # def test_duplicate_tags(self): @@ -933,37 +945,38 @@ def test_optional_license(self): + "There are rules with malformed 'license' fields. (has to be a string )", ) - def test_optional_tlp(self): - faulty_rules = [] - valid_tlp = [ - "WHITE", - "GREEN", - "AMBER", - "RED", - ] - for file in self.yield_next_rule_file_path(self.path_to_rules): - tlp_str = self.get_rule_part(file_path=file, part_name="tlp") - if tlp_str: - # it exists but isn't a string - if not isinstance(tlp_str, str): - print( - Fore.YELLOW - + "Rule {} has a 'tlp' field that isn't a string.".format(file) - ) - faulty_rules.append(file) - elif not tlp_str.upper() in valid_tlp: - print( - Fore.YELLOW - + "Rule {} has a 'tlp' field with not valid value.".format(file) - ) - faulty_rules.append(file) + # sigma-cli validators tlptag + # def test_optional_tlp(self): + # faulty_rules = [] + # valid_tlp = [ + # "WHITE", + # "GREEN", + # "AMBER", + # "RED", + # ] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # tlp_str = self.get_rule_part(file_path=file, part_name="tlp") + # if tlp_str: + # # it exists but isn't a string + # if not isinstance(tlp_str, str): + # print( + # Fore.YELLOW + # + "Rule {} has a 'tlp' field that isn't a string.".format(file) + # ) + # faulty_rules.append(file) + # elif not tlp_str.upper() in valid_tlp: + # print( + # Fore.YELLOW + # + "Rule {} has a 'tlp' field with not valid value.".format(file) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)", + # ) def test_optional_target(self): faulty_rules = [] @@ -1602,7 +1615,7 @@ def test_unused_selection(self): # self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with common typos in field names.") - # Sigma error validator SigmaModifierError + # Sigma error SigmaModifierError # def test_unknown_value_modifier(self): # known_modifiers = [ # "contains", @@ -1909,74 +1922,74 @@ def check_item_for_bad_escapes(item): faulty_rules, [], Fore.RED + "There are rules using illegal re-escapes" ) - -def get_mitre_data(): - """ - Use Tags from CTI subrepo to get consitant data - """ - cti_path = "cti/" - cti_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), cti_path) - - # Get ATT&CK information - lift = attack_client(local_path=cti_path) - # Techniques - MITRE_TECHNIQUES = [] - MITRE_TECHNIQUE_NAMES = [] - MITRE_PHASE_NAMES = set() - MITRE_TOOLS = [] - MITRE_GROUPS = [] - # Techniques - enterprise_techniques = lift.get_enterprise_techniques() - for t in enterprise_techniques: - MITRE_TECHNIQUE_NAMES.append( - t["name"].lower().replace(" ", "_").replace("-", "_") - ) - for r in t.external_references: - if "external_id" in r: - MITRE_TECHNIQUES.append(r["external_id"].lower()) - if "kill_chain_phases" in t: - for kc in t["kill_chain_phases"]: - if "phase_name" in kc: - MITRE_PHASE_NAMES.add(kc["phase_name"].replace("-", "_")) - # Tools / Malware - enterprise_tools = lift.get_enterprise_tools() - for t in enterprise_tools: - for r in t.external_references: - if "external_id" in r: - MITRE_TOOLS.append(r["external_id"].lower()) - enterprise_malware = lift.get_enterprise_malware() - for m in enterprise_malware: - for r in m.external_references: - if "external_id" in r: - MITRE_TOOLS.append(r["external_id"].lower()) - # Groups - enterprise_groups = lift.get_enterprise_groups() - for g in enterprise_groups: - for r in g.external_references: - if "external_id" in r: - MITRE_GROUPS.append(r["external_id"].lower()) - - # Debugging - print( - "MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" - % ( - len(MITRE_TECHNIQUES), - len(MITRE_TECHNIQUE_NAMES), - len(list(MITRE_PHASE_NAMES)), - len(MITRE_GROUPS), - len(MITRE_TOOLS), - ) - ) - - # Combine all IDs to a big tag list - return [ - "attack." + item - for item in MITRE_TECHNIQUES - + MITRE_TECHNIQUE_NAMES - + list(MITRE_PHASE_NAMES) - + MITRE_GROUPS - + MITRE_TOOLS - ] +# sigma-cli validators attacktag +# def get_mitre_data(): +# """ +# Use Tags from CTI subrepo to get consitant data +# """ +# cti_path = "cti/" +# cti_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), cti_path) + +# # Get ATT&CK information +# lift = attack_client(local_path=cti_path) +# # Techniques +# MITRE_TECHNIQUES = [] +# MITRE_TECHNIQUE_NAMES = [] +# MITRE_PHASE_NAMES = set() +# MITRE_TOOLS = [] +# MITRE_GROUPS = [] +# # Techniques +# enterprise_techniques = lift.get_enterprise_techniques() +# for t in enterprise_techniques: +# MITRE_TECHNIQUE_NAMES.append( +# t["name"].lower().replace(" ", "_").replace("-", "_") +# ) +# for r in t.external_references: +# if "external_id" in r: +# MITRE_TECHNIQUES.append(r["external_id"].lower()) +# if "kill_chain_phases" in t: +# for kc in t["kill_chain_phases"]: +# if "phase_name" in kc: +# MITRE_PHASE_NAMES.add(kc["phase_name"].replace("-", "_")) +# # Tools / Malware +# enterprise_tools = lift.get_enterprise_tools() +# for t in enterprise_tools: +# for r in t.external_references: +# if "external_id" in r: +# MITRE_TOOLS.append(r["external_id"].lower()) +# enterprise_malware = lift.get_enterprise_malware() +# for m in enterprise_malware: +# for r in m.external_references: +# if "external_id" in r: +# MITRE_TOOLS.append(r["external_id"].lower()) +# # Groups +# enterprise_groups = lift.get_enterprise_groups() +# for g in enterprise_groups: +# for r in g.external_references: +# if "external_id" in r: +# MITRE_GROUPS.append(r["external_id"].lower()) + +# # Debugging +# print( +# "MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" +# % ( +# len(MITRE_TECHNIQUES), +# len(MITRE_TECHNIQUE_NAMES), +# len(list(MITRE_PHASE_NAMES)), +# len(MITRE_GROUPS), +# len(MITRE_TOOLS), +# ) +# ) + +# # Combine all IDs to a big tag list +# return [ +# "attack." + item +# for item in MITRE_TECHNIQUES +# + MITRE_TECHNIQUE_NAMES +# + list(MITRE_PHASE_NAMES) +# + MITRE_GROUPS +# + MITRE_TOOLS +# ] if __name__ == "__main__": From 962683487de0b2e35f4a1fae19193a8bde0ced64 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Fri, 17 Nov 2023 23:25:24 +0900 Subject: [PATCH 20/28] Merge PR #4575 from @fukusuket - Fix typo in the selection name chore: Potentially Suspicious Wuauclt Network Connection - Fix typo in selection name --- .../net_connection_win_wuauclt_network_connection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index f79a6af8531..da338921e3d 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -8,7 +8,7 @@ references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/11/11 +modified: 2023/11/17 tags: - attack.defense_evasion - attack.t1218 @@ -73,8 +73,8 @@ detection: CommandLine|contains: - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' - filter_main_winsxs|all: - CommandLine|contains: + filter_main_winsxs: + CommandLine|contains|all: - ':\Windows\WinSxS\' - '\UpdateDeploy.dll /ClassId ' filter_main_cli_null: From 68edd164a08e43a712a0d4d694ea3c64c4b1636b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 17 Nov 2023 16:44:49 +0100 Subject: [PATCH 21/28] Merge PR #4576 from @Neo23x0 - Additional Ngrok Domains update: Communication To Ngrok Domains - Additional ngrok domains --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../net_connection_win_ngrok_domains.yml | 31 +++++++++++++++++++ .../net_connection_win_ngrok_io.yml | 23 -------------- 2 files changed, 31 insertions(+), 23 deletions(-) create mode 100644 rules/windows/network_connection/net_connection_win_ngrok_domains.yml delete mode 100644 rules/windows/network_connection/net_connection_win_ngrok_io.yml diff --git a/rules/windows/network_connection/net_connection_win_ngrok_domains.yml b/rules/windows/network_connection/net_connection_win_ngrok_domains.yml new file mode 100644 index 00000000000..a6098d9fcaf --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_ngrok_domains.yml @@ -0,0 +1,31 @@ +title: Communication To Ngrok Domains +id: 18249279-932f-45e2-b37a-8925f2597670 +status: test +description: Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors +references: + - https://ngrok.com/ + - https://ngrok.com/blog-post/new-ngrok-domains + - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ + - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf +author: Florian Roth (Nextron Systems) +date: 2022/07/16 +modified: 2023/11/17 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: + - '.ngrok-free.app' + - '.ngrok-free.dev' + - '.ngrok.app' + - '.ngrok.dev' + - '.ngrok.io' + condition: selection +falsepositives: + - Legitimate use of ngrok domains +level: high diff --git a/rules/windows/network_connection/net_connection_win_ngrok_io.yml b/rules/windows/network_connection/net_connection_win_ngrok_io.yml deleted file mode 100644 index 4c767032d51..00000000000 --- a/rules/windows/network_connection/net_connection_win_ngrok_io.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Communication To Ngrok.Io -id: 18249279-932f-45e2-b37a-8925f2597670 -status: test -description: Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors -references: - - https://ngrok.com/ - - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ -author: Florian Roth (Nextron Systems) -date: 2022/07/16 -tags: - - attack.exfiltration - - attack.t1567.001 -logsource: - category: network_connection - product: windows -detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: '.ngrok.io' - condition: selection -falsepositives: - - Legitimate use of ngrok.io -level: high From 2d63859aed1fd62630c3b30b3e51786647699dbf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:46:50 +0100 Subject: [PATCH 22/28] =?UTF-8?q?Merge=20PR=20#4574=20from=20@frack113=20-?= =?UTF-8?q?=20ci:=20=F0=9F=A4=96=20add=20new=20sigma-cli=200.7.10=20valida?= =?UTF-8?q?tors?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit chore: Add new validators from sigma-cli 0.7.10 and remove obsolete tests in test_rules.py --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- tests/sigma_cli_conf.yml | 13 ++- tests/test_rules.py | 223 +++++++++++++++++++-------------------- 2 files changed, 121 insertions(+), 115 deletions(-) diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index a9d17ca0091..0ad3f69537c 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -1,11 +1,20 @@ validators: - - attacktag - all_of_them_condition + - attacktag + - cartag + - cvetag + - detection_tag + - duplicate_filename + - duplicate_references - duplicate_tag - duplicate_title + - filename_lengh + - filename_sigmahq - identifier_existence - identifier_uniqueness - - tlptag + - status_existence + - status_unsupported + - tlptag exclusions: # escaped_wildcard 021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard diff --git a/tests/test_rules.py b/tests/test_rules.py index d12775d5241..f46dfe3f8ce 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -20,13 +20,6 @@ # Old Tests cover by pySigma 0.10.6 and simgma-cli 0.7.8 # Use sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* # -# def test_duplicate_tags(self): sigma-cli validators duplicate_tag -# def test_all_of_them_condition(self): sigma-cli validator all_of_them_condition -# def test_missing_id(self): sigma-cli error & validator identifier_existence identifier_uniqueness -# def test_duplicate_titles(self): sigma-cli validators duplicate_title -# def test_unknown_value_modifier(self): sigma-cli error & validator SigmaModifierError -# def test_confirm_correct_mitre_tags(self): sigma-cli validators attacktag -# def test_optional_tlp(self): sigma-cli validators tlptag class TestRules(unittest.TestCase): # @classmethod @@ -196,30 +189,31 @@ def test_optional_tags(self): # Fore.RED + "There are rules with duplicate tags", # ) - def test_duplicate_references(self): - files_with_duplicate_references = [] + # sigma validators duplicate_references + # def test_duplicate_references(self): + # files_with_duplicate_references = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - references = self.get_rule_part(file_path=file, part_name="references") - if references: - known_references = [] - for reference in references: - if reference in known_references: - print( - Fore.RED - + "Rule {} has the duplicate reference {}".format( - file, reference - ) - ) - files_with_duplicate_references.append(file) - else: - known_references.append(reference) + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # references = self.get_rule_part(file_path=file, part_name="references") + # if references: + # known_references = [] + # for reference in references: + # if reference in known_references: + # print( + # Fore.RED + # + "Rule {} has the duplicate reference {}".format( + # file, reference + # ) + # ) + # files_with_duplicate_references.append(file) + # else: + # known_references.append(reference) - self.assertEqual( - files_with_duplicate_references, - [], - Fore.RED + "There are rules with duplicate references", - ) + # self.assertEqual( + # files_with_duplicate_references, + # [], + # Fore.RED + "There are rules with duplicate references", + # ) def test_look_for_duplicate_filters(self): def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: @@ -697,75 +691,77 @@ def test_missing_description(self): + "There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)", ) - def test_optional_date_modified(self): - faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - modifiedfield = self.get_rule_part(file_path=file, part_name="modified") - if modifiedfield: - if not isinstance(modifiedfield, str): - print( - Fore.YELLOW - + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format( - file - ) - ) - faulty_rules.append(file) - elif len(modifiedfield) != 10: - print( - Fore.YELLOW - + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format( - file - ) - ) - faulty_rules.append(file) - elif modifiedfield[4] != "/" or modifiedfield[7] != "/": - print( - Fore.YELLOW - + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format( - file - ) - ) - faulty_rules.append(file) + # sigma-cli error + # def test_optional_date_modified(self): + # faulty_rules = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # modifiedfield = self.get_rule_part(file_path=file, part_name="modified") + # if modifiedfield: + # if not isinstance(modifiedfield, str): + # print( + # Fore.YELLOW + # + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format( + # file + # ) + # ) + # faulty_rules.append(file) + # elif len(modifiedfield) != 10: + # print( + # Fore.YELLOW + # + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format( + # file + # ) + # ) + # faulty_rules.append(file) + # elif modifiedfield[4] != "/" or modifiedfield[7] != "/": + # print( + # Fore.YELLOW + # + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format( + # file + # ) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)", + # ) - def test_optional_status(self): - faulty_rules = [] - valid_status = ["stable", "test", "experimental", "deprecated", "unsupported"] - for file in self.yield_next_rule_file_path(self.path_to_rules): - status_str = self.get_rule_part(file_path=file, part_name="status") - if status_str: - if not status_str in valid_status: - print( - Fore.YELLOW - + "Rule {} has a invalid 'status' (check wiki).".format(file) - ) - faulty_rules.append(file) - elif status_str == "unsupported": - print( - Fore.YELLOW - + "Rule {} has the unsupported 'status', can not be in rules directory".format( - file - ) - ) - faulty_rules.append(file) - else: - print( - Fore.YELLOW + "Rule {} is missing the 'status' field".format(file) - ) - faulty_rules.append(file) + # sigma-cli error and validator status_existence status_unsupported + # def test_optional_status(self): + # faulty_rules = [] + # valid_status = ["stable", "test", "experimental", "deprecated", "unsupported"] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # status_str = self.get_rule_part(file_path=file, part_name="status") + # if status_str: + # if not status_str in valid_status: + # print( + # Fore.YELLOW + # + "Rule {} has a invalid 'status' (check wiki).".format(file) + # ) + # faulty_rules.append(file) + # elif status_str == "unsupported": + # print( + # Fore.YELLOW + # + "Rule {} has the unsupported 'status', can not be in rules directory".format( + # file + # ) + # ) + # faulty_rules.append(file) + # else: + # print( + # Fore.YELLOW + "Rule {} is missing the 'status' field".format(file) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with malformed or missing 'status' fields. (check https://github.com/SigmaHQ/sigma-specification)", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with malformed or missing 'status' fields. (check https://github.com/SigmaHQ/sigma-specification)", + # ) def test_level(self): faulty_rules = [] @@ -978,25 +974,26 @@ def test_optional_license(self): # + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)", # ) - def test_optional_target(self): - faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - target = self.get_rule_part(file_path=file, part_name="target") - if target: - # it exists but isn't a list - if not isinstance(target, list): - print( - Fore.YELLOW - + "Rule {} has a 'target' field that isn't a list.".format(file) - ) - faulty_rules.append(file) + # Not in the specification + # def test_optional_target(self): + # faulty_rules = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # target = self.get_rule_part(file_path=file, part_name="target") + # if target: + # # it exists but isn't a list + # if not isinstance(target, list): + # print( + # Fore.YELLOW + # + "Rule {} has a 'target' field that isn't a list.".format(file) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)", + # ) def test_references(self): faulty_rules = [] From bb97300f1f9c188288153344a5ecfbd76e2efcad Mon Sep 17 00:00:00 2001 From: Ali Alwashali Date: Mon, 20 Nov 2023 14:47:01 +0300 Subject: [PATCH 23/28] Merge PR #4532 from @alwashali - Update EventLog Query Related Rules new: EventLog Query Requests By Builtin Utilities update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...proc_creation_win_susp_event_log_query.yml | 47 +++++++++++ ...eation_win_susp_eventlog_content_recon.yml | 79 +++++++++++++++++++ .../proc_creation_win_wevtutil_recon.yml | 30 ------- 3 files changed, 126 insertions(+), 30 deletions(-) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml new file mode 100644 index 00000000000..7c2769f296f --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -0,0 +1,47 @@ +title: EventLog Query Requests By Builtin Utilities +id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f +related: + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived +status: experimental +description: | + Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/20 +tags: + - attack.t1552 + - attack.credential_access + - detection.threat_hunting +logsource: + product: windows + category: process_creation +detection: + selection_wmi: + CommandLine|contains|all: + - 'Select' + - 'Win32_NTLogEvent' + selection_wevtutil_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet +falsepositives: + - Legitimate log access by administrators or troubleshooting tools +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml new file mode 100644 index 00000000000..342adc7bba1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -0,0 +1,79 @@ +title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +related: + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived +status: experimental +description: | + Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs. +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a + - https://www.group-ib.com/blog/apt41-world-tour-2021/ + - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/09/09 +modified: 2023/11/20 +tags: + - attack.credential_access + - attack.discovery + - attack.t1552 +logsource: + category: process_creation + product: windows +detection: + selection_wmi: + CommandLine|contains|all: + - 'Select' + - 'Win32_NTLogEvent' + selection_wevtutil_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + selection_logs_name: + CommandLine|contains: + # Note: Add more event log channels that are interesting for attackers + - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + - 'Security' + selection_logs_eid: + CommandLine|contains: + # Note: We use the "?" to account for both a single and a double quote + # Note: Please add additional interesting event IDs + # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. + # This covers EID 4624 from Security Log + - '-InstanceId 4624' + - 'System[EventID=4624]' + - 'EventCode=?4624?' + - "EventIdentifier=?4624?" + # This covers EID 4778 from Security Log + - '-InstanceId 4778' + - 'System[EventID=4778]' + - 'EventCode=?4778?' + - "EventIdentifier=?4778?" + # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log + - '-InstanceId 25' + - 'System[EventID=25]' + - 'EventCode=?25?' + - "EventIdentifier=?25?" + condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) +falsepositives: + - Legitimate usage of the utility by administrators to query the event log +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml deleted file mode 100644 index 27a58fde21d..00000000000 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Potential Recon Activity Using Wevtutil -id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental -description: Detects usage of the wevtutil utility to perform reconnaissance -references: - - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/18 -tags: - - attack.discovery -logsource: - category: process_creation - product: windows -detection: - selection_cli: - Image|endswith: '\wevtutil.exe' - CommandLine|contains: - - ' qe ' - - ' query-events ' - selection_logs: - CommandLine|contains: - # Add more event log channels that are interesting for attackers - - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' - - 'Security' - condition: all of selection_* -falsepositives: - - Legitimate usage of the utility by administrators to query the event log -level: medium From 1cc2a6cd936c3a3883c2ac5302872add018ee982 Mon Sep 17 00:00:00 2001 From: Luca <150611686+CrimpSec@users.noreply.github.com> Date: Mon, 20 Nov 2023 07:19:09 -0500 Subject: [PATCH 24/28] Merge PR #4568 from @CrimpSec - Adding two registry modifications detections update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely `NoDispCPL` and `NoDispBackground` --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../registry_set_disable_function_user.yml | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 96d1c9a1eb7..88a0ca6686e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -6,9 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: frack113, Nasreddine Bencherchali + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl +author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec date: 2022/03/18 -modified: 2023/08/17 +modified: 2023/11/20 tags: - attack.defense_evasion - attack.t1112 @@ -18,21 +20,23 @@ logsource: detection: selection_set_1: TargetObject|endswith: + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools' - - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL' - 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff' + - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' Details: 'DWORD (0x00000001)' selection_set_0: TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled' - - '\SYSTEM\CurrentControlSet\Control\Storage\Write Protection' - - '\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect' + - 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection' + - 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect' Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: From e506e4574a47c92de1db8a25acf6e76665c6e39e Mon Sep 17 00:00:00 2001 From: Kamran Saifullah - Frog Man <16836050+deFr0ggy@users.noreply.github.com> Date: Mon, 20 Nov 2023 04:22:15 -0800 Subject: [PATCH 25/28] Merge PR #4580 from @deFr0ggy - Update VsCode/DevTunnels Communication Related Rules new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1 new: Network Connection Initiated To DevTunnels Domain new: Network Connection Initiated To Visual Studio Code Tunnels Domain update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...dns_query_win_devtunnels_communication.yml | 32 +++++++++++++++++++ ..._query_win_vscode_tunnel_communication.yml | 21 +++++++----- ...et_connection_win_devtunnel_connection.yml | 32 +++++++++++++++++++ ...onnection_win_vscode_tunnel_connection.yml | 32 +++++++++++++++++++ 4 files changed, 109 insertions(+), 8 deletions(-) create mode 100644 rules/windows/dns_query/dns_query_win_devtunnels_communication.yml create mode 100644 rules/windows/network_connection/net_connection_win_devtunnel_connection.yml create mode 100644 rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml new file mode 100644 index 00000000000..54b62bfd967 --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -0,0 +1,32 @@ +title: DNS Query To Devtunnels Domain +id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar +status: experimental +description: | + Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: citron_ninja +date: 2023/10/25 +modified: 2023/11/20 +tags: + - attack.command_and_control + - attack.t1071.001 +logsource: + category: dns_query + product: windows +detection: + selection: + QueryName|endswith: '.devtunnels.ms' + condition: selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index aa898fb474b..d03bca54df3 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -1,15 +1,22 @@ -title: DNS Query To Devtunnels And VsCode Tunnels +title: DNS Query To Visual Studio Code Tunnels Domain id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar status: experimental description: | - Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell. + Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html - - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 - - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/vscode-data-exfiltration author: citron_ninja date: 2023/10/25 +modified: 2023/11/20 tags: - attack.command_and_control - attack.t1071.001 @@ -18,10 +25,8 @@ logsource: product: windows detection: selection: - QueryName|endswith: - - '.tunnels.api.visualstudio.com' - - '.devtunnels.ms' + QueryName|endswith: '.tunnels.api.visualstudio.com' condition: selection falsepositives: - - Legitimate use of Visual Studio Code tunnel will also trigger this + - Legitimate use of Visual Studio Code tunnel will also trigger this. level: medium diff --git a/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml new file mode 100644 index 00000000000..33680cfd9a2 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml @@ -0,0 +1,32 @@ +title: Network Connection Initiated To DevTunnels Domain +id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 +related: + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar +status: experimental +description: | + Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: '.devtunnels.ms' + condition: selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml new file mode 100644 index 00000000000..64c07283510 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml @@ -0,0 +1,32 @@ +title: Network Connection Initiated To Visual Studio Code Tunnels Domain +id: 4b657234-038e-4ad5-997c-4be42340bce4 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar +status: experimental +description: | + Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://ipfyx.fr/post/visual-studio-code-tunnel/ + - https://badoption.eu/blog/2023/01/31/code_c2.html + - https://cydefops.com/vscode-data-exfiltration +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: '.tunnels.api.visualstudio.com' + condition: selection +falsepositives: + - Legitimate use of Visual Studio Code tunnel will also trigger this. +level: medium From 130227bc0570c16cb771bc03395da05e3b7babe2 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 20 Nov 2023 13:45:53 +0100 Subject: [PATCH 26/28] Merge PR #4581 from @phantinuss - Remove in changlog, additional attribution, workflow optimization, FP tuning chore: run sigma rule repo tests only on specific paths chore: add manual thanks and list removed rules in changelog fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .github/PULL_REQUEST_TEMPLATE.md | 4 ++- .github/workflows/release.yml | 3 ++ .github/workflows/sigma-test.yml | 36 +++++++++---------- ..._rundll32_executable_invalid_extension.yml | 5 +-- 4 files changed, 25 insertions(+), 23 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index d9128e7659d..f9e95e5f2df 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -8,7 +8,7 @@ Thanks for your contribution. Please make sure to fill the contents of this temp ### Changelog @@ -19,6 +19,7 @@ You need to add one line for every changed file of the PR and prefix one of the new: update: <title> - <optional comment> fix: <title> - <optional comment> +remove: <title> - <optional comment> chore: for non-detection related changes (e.g. dates/titles) and changes on workflow e.g. @@ -26,6 +27,7 @@ new: Brute-Force Attacks on Azure Admin Account update: Suspicious Microsoft Office Child Process - add MSPUB.EXE fix: Malware User Agent - remove legitimate Firefox UA chore: workflow - update checkout version +remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2 --> ### Example Log Event diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28363258c91..f5fa8ac7fc1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,10 +24,13 @@ jobs: git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt + if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*" | sort -u >> authors_raw.txt LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt cat changes.txt >> changelog.txt echo "" >> changelog.txt diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index c50ce6a06e9..effaa0152dd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -7,27 +7,27 @@ on: # yamllint disable-line rule:truthy push: branches: - "*" - # paths: - # - "deprecated/**.yml" - # - "rules-compliance/**.yml" - # - "rules-dfir/**.yml" - # - "rules-emerging-threats/**.yml" - # - "rules-placeholder/**.yml" - # - "rules-threat-hunting/**.yml" - # - "rules/**.yml" - # - "unsupported/**.yml" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" pull_request: branches: - master - # paths: - # - "deprecated/**.yml" - # - "rules-compliance/**.yml" - # - "rules-dfir/**.yml" - # - "rules-emerging-threats/**.yml" - # - "rules-placeholder/**.yml" - # - "rules-threat-hunting/**.yml" - # - "rules/**.yml" - # - "unsupported/**.yml" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index ef78547f4a7..4c1d07befef 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2023/10/11 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -51,9 +51,6 @@ detection: - 'C:\Windows\Installer\MSI' - '.tmp' - 'zzzzInvokeManagedCustomActionOutOfProc' - CommandLine|contains: - - 'Avira.OE.Setup' - - 'FindOldJetBrainsProduct' condition: selection and not 1 of filter_* fields: - Image From 01730d0e0e5ff9f8f21c7e390c1b35922bea9f98 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 20 Nov 2023 15:16:55 +0100 Subject: [PATCH 27/28] Merge PR #4582 from @phantinuss - cleanup duplicate release entries and enhance manual thanking output --- .github/workflows/release.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f5fa8ac7fc1..7c19734e854 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,16 +21,16 @@ jobs: echo "Previous tag: ${prev_tag}" echo "Current tag: ${curr_tag}" if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' -c) -gt 0 ]]; then echo "### New Rules" > changes.txt; fi - git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort -u | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi - git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort -u | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi - git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort | sed -e 's%^% - %' >> changes.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort -u | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi - git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort -u | sed -e 's%^% - %' >> changes.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt - git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*" | sort -u >> authors_raw.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*?(?=$| for)" | sort -u >> authors_raw.txt LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt cat changes.txt >> changelog.txt echo "" >> changelog.txt From 2c24b24cf1269a4087acf04136fd2d6eaf447452 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 21 Nov 2023 15:16:18 +0100 Subject: [PATCH 28/28] Merge PR #4585 from @phantinuss - Update evtx-baseline to v0.8 and fix FP found in baseline chore: update evtx-baseline to v0.8 chore: add file paths that impact the test chore: split goodlog and QA tests into two separate workflows fix: File or Folder Permissions Modifications - FPs with partial paths --- .github/workflows/goodlog-tests.yml | 162 ++++++++++++++++++ .github/workflows/sigma-test.yml | 119 +------------ .github/workflows/sigma-validation.yml | 4 +- ...win_susp_file_permission_modifications.yml | 8 +- tests/check-baseline-local.sh | 18 +- 5 files changed, 193 insertions(+), 118 deletions(-) create mode 100644 .github/workflows/goodlog-tests.yml diff --git a/.github/workflows/goodlog-tests.yml b/.github/workflows/goodlog-tests.yml new file mode 100644 index 00000000000..7b5548e5aae --- /dev/null +++ b/.github/workflows/goodlog-tests.yml @@ -0,0 +1,162 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Goodlog Tests + +on: + push: + branches: + - "*" + paths: + - ".github/workflows/goodlog-tests.yml" + - ".github/workflows/known-FPs.csv" + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "tests/thor.yml" + - "unsupported/**.yml" + pull_request: + branches: + - master + paths: + - ".github/workflows/goodlog-tests.yml" + - ".github/workflows/known-FPs.csv" + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "tests/thor.yml" + - "unsupported/**.yml" + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + EVTX_BASELINE_VERSION: v0.8 + +jobs: + check-baseline-win7: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 7 32-bit baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz + tar xzf win7-x86.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz + tar xzf win10-client.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win11: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 11 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz + tar xzf win11-client.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win11-2023: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 11 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz + tar xzf win11-client-2023.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz + tar xzf win2022-evtx.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022-domain-controller: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz + tar xzf win2022-ad.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + + check-baseline-win2022-0-20348-azure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.2.0 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022.0.20348 Azure baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index effaa0152dd..4f4be1955ca 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -3,11 +3,12 @@ name: Sigma Rule Tests -on: # yamllint disable-line rule:truthy +on: push: branches: - "*" paths: + - ".github/workflows/sigma-test.yml" - "deprecated/**.yml" - "rules-compliance/**.yml" - "rules-dfir/**.yml" @@ -15,11 +16,14 @@ on: # yamllint disable-line rule:truthy - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/test_logsource.py" + - "tests/test_rules.py" - "unsupported/**.yml" pull_request: branches: - master paths: + - ".github/workflows/sigma-test.yml" - "deprecated/**.yml" - "rules-compliance/**.yml" - "rules-dfir/**.yml" @@ -27,14 +31,13 @@ on: # yamllint disable-line rule:truthy - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/test_logsource.py" + - "tests/test_rules.py" - "unsupported/**.yml" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -env: - EVTX_BASELINE_VERSION: v0.7 - jobs: yamllint: runs-on: ubuntu-latest @@ -81,111 +84,3 @@ jobs: run: | pip install PyYAML colorama python tests/test_rules.py - - check-baseline-win7: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 7 32-bit baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz - tar xzf win7-x86.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win10: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 10 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz - tar xzf win10-client.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win11: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 11 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz - tar xzf win11-client.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz - tar xzf win2022-evtx.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022-domain-controller: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz - tar xzf win2022-ad.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv - - check-baseline-win2022-0-20348-azure: - runs-on: ubuntu-latest - needs: test-sigma-logsource - steps: - - uses: actions/checkout@v3.2.0 - - name: Download evtx-sigma-checker - run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022.0.20348 Azure baseline - run: | - wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz - tar xzf win2022-0-20348-azure.tgz - - name: Check for Sigma matches in baseline - run: | - chmod +x evtx-sigma-checker - ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json - - name: Show findings excluding known FPs - run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml index 32a6ac351df..d9544e3a746 100644 --- a/.github/workflows/sigma-validation.yml +++ b/.github/workflows/sigma-validation.yml @@ -12,6 +12,7 @@ on: - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/validate-sigma-schema/validate.sh" - "unsupported/**.yml" pull_request: branches: @@ -24,8 +25,9 @@ on: - "rules-placeholder/**.yml" - "rules-threat-hunting/**.yml" - "rules/**.yml" + - "tests/validate-sigma-schema/validate.sh" - "unsupported/**.yml" - + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 97078430353..09435200619 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -8,7 +8,7 @@ references: - https://github.com/swagkarna/Defeat-Defender-V1.2.0 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/23 -modified: 2023/11/06 +modified: 2023/11/21 tags: - attack.defense_evasion - attack.t1222.001 @@ -41,11 +41,11 @@ detection: filter_optional_vscode: CommandLine|contains: - '\AppData\Local\Programs\Microsoft VS Code' - - ':\Program Files\Microsoft VS Code\' + - ':\Program Files\Microsoft VS Code' filter_optional_avira: CommandLine|contains: - - ':\Program Files (x86)\Avira\' - - ':\Program Files\Avira\' + - ':\Program Files (x86)\Avira' + - ':\Program Files\Avira' condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Users interacting with the files on their own (unlikely unless privileged users). diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 2c3fd80be62..4d53cd3373e 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -151,10 +151,23 @@ OS="Windows 11" pids+=($!) PID2OS[$!]=$OS +# Windows 11 2023 +OS="Windows 11 2023" +{ + sleep 40 + wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client-2023.tgz + tar xzf win11-client-2023.tgz + echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" + ./evtx-sigma-checker --log-source "${SIGMA}"/tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11-2023.json + echo " Finished Checking for Sigma matches in $OS baseline" +}& +pids+=($!) +PID2OS[$!]=$OS + # Windows 2022.0.20348 Azure OS="Windows 2022.0.20348 Azure" { - sleep 40 + sleep 50 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz tar xzf win2022-0-20348-azure.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" @@ -184,6 +197,9 @@ echo echo "Windows 11:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv echo +echo "Windows 11 2023:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11-2023.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo echo "Windows 2022:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022.json "${SIGMA}"/.github/workflows/known-FPs.csv echo