diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml new file mode 100644 index 00000000000..4359db96e25 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -0,0 +1,25 @@ +title: Data Exfiltration with Wget +id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc +description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. +author: 'Pawel Mazur' +status: experimental +date: 2021/11/18 +references: + - https://attack.mitre.org/tactics/TA0010/ + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ +logsource: + product: linux + service: auditd +detection: + wget: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: wget +tags: + - attack.exfiltration + - attack.t1048.003 +falsepositives: + - legitimate usage of wget utility to post a file +level: medium \ No newline at end of file diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index 599f6b0627d..b5234445d0a 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -1,6 +1,7 @@ title: JexBoss Command Sequence id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae description: Detects suspicious command sequence that JexBoss +status: experimental author: Florian Roth date: 2017/08/24 references: diff --git a/rules/linux/process_creation/lnx_install_root_certificate.yml b/rules/linux/process_creation/lnx_install_root_certificate.yml index b1a9f61ee7e..12af5d3d376 100644 --- a/rules/linux/process_creation/lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/lnx_install_root_certificate.yml @@ -1,6 +1,7 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee description: Detects installed new certificate +status: experimental author: Ömer Günal, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml index 21861818b75..dcef68df3d4 100644 --- a/rules/linux/process_creation/lnx_webshell_detection.yml +++ b/rules/linux/process_creation/lnx_webshell_detection.yml @@ -14,12 +14,6 @@ logsource: product: linux category: process_creation detection: - selection_sub_processes: - Image|endswith: - - '/whoami' - - '/ifconfig' - - '/usr/bin/ip' - - '/bin/uname' selection_general: ParentImage|endswith: - '/httpd' @@ -35,6 +29,12 @@ detection: ParentCommandLine|contains|all: - '/bin/java' - 'websphere' + selection_sub_processes: + Image|endswith: + - '/whoami' + - '/ifconfig' + - '/usr/bin/ip' + - '/bin/uname' condition: selection_sub_processes and ( selection_general or selection_tomcat ) falsepositives: - Web applications that invoke Linux command line tools diff --git a/rules/network/net_apt_equationgroup_c2.yml b/rules/network/net_apt_equationgroup_c2.yml index c32e4df05a1..ebd6b608550 100755 --- a/rules/network/net_apt_equationgroup_c2.yml +++ b/rules/network/net_apt_equationgroup_c2.yml @@ -1,6 +1,7 @@ title: Equation Group C2 Communication id: 881834a4-6659-4773-821e-1c151789d873 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools +status: experimental author: Florian Roth date: 2017/04/15 references: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index bc4acfcbfc8..0cba260b8c2 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -1,6 +1,7 @@ title: MITRE BZAR Indicators for Execution id: b640c0b8-87f8-4daa-aef8-95a24261dd1d description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE' +status: experimental author: '@neu5ron, SOC Prime' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index ed57aacac62..0fd11985f33 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -1,6 +1,7 @@ title: MITRE BZAR Indicators for Persistence id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' +status: experimental author: '@neu5ron, SOC Prime' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 52cae554819..82bcef0f3a9 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -5,6 +5,7 @@ description: | The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +status: experimental author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 references: diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index c4ee427d6a3..59b8daad8fa 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,6 +1,7 @@ title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +status: experimental author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index ed328eebfba..c637031d1dd 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -1,6 +1,7 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic +status: experimental author: Bhabesh Raj date: 2021/06/23 modified: 2021/08/24 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 7ca14a4f761..ec347448f46 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,6 +1,7 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. +status: experimental references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 0b20b2bcec3..06b8a580175 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -1,6 +1,7 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +status: experimental date: 2021/05/04 modified: 2021/05/24 references: diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index e073a15eccb..7c6018e8d0a 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,6 +1,7 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. +status: experimental references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 3c7d4a6ca78..cd6236b4582 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -1,6 +1,7 @@ title: Remote Task Creation via ATSVC Named Pipe - Zeek id: dde85b37-40cd-4a94-b00c-0b8794f956b5 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +status: experimental author: 'Samir Bousseaden, @neu5rn' date: 2020/04/03 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 44d812ee7b0..ad1cf11d452 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -1,6 +1,7 @@ title: Possible Impacket SecretDump Remote Activity - Zeek id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index fa4a6fbd22f..59ab04cefb9 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,6 +1,7 @@ title: First Time Seen Remote Named Pipe - Zeek id: 021310d9-30a6-480a-84b7-eaa69aeb92bb description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 34da2addf87..cfa97b269cf 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -1,6 +1,7 @@ title: Suspicious PsExec Execution - Zeek id: f1b3a22a-45e6-4004-afb5-4291f9c21166 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 5604b7171e4..f75bbce687b 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -1,6 +1,7 @@ title: Suspicious Access to Sensitive File Extensions - Zeek id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc description: Detects known sensitive file extensions via Zeek +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index f0584e1a280..0bad3e2ec06 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,6 +1,7 @@ title: Apache Segmentation Fault id: 1da8ce0b-855d-4004-8860-7d64d42063b1 description: Detects a segmentation fault error message caused by a creashing apache worker process +status: experimental author: Florian Roth date: 2017/02/28 modified: 2020/09/03 diff --git a/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml b/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml new file mode 100644 index 00000000000..d79c84d006f --- /dev/null +++ b/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml @@ -0,0 +1,23 @@ +title: Sitecore Pre-Auth RCE CVE-2021-42237 +id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f +status: experimental +description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx +author: Florian Roth +date: 2021/11/17 +references: + - https://blog.assetnote.io/2021/11/02/sitecore-rce/ + - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx' + sc-status: 200 + condition: selection +falsepositives: + - Vulnerability Scanning/Pentesting +level: high diff --git a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml index 0e2c025180a..9e46daa39c8 100644 --- a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml +++ b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml @@ -1,5 +1,6 @@ title: Fortinet CVE-2018-13379 Exploitation description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs +status: experimental id: a2e97350-4285-43f2-a63f-d0daff291738 references: - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml index ffc11bdf122..90dbfc9605a 100644 --- a/rules/web/web_nginx_core_dump.yml +++ b/rules/web/web_nginx_core_dump.yml @@ -1,6 +1,7 @@ title: Nginx Core Dump id: 59ec40bb-322e-40ab-808d-84fa690d7e56 description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. +status: experimental author: Florian Roth date: 2021/05/31 references: diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 8094f413cf0..3aac7b53b4b 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,7 @@ title: Enabled User Right in AD to Control User Objects id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. +status: experimental tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index ae751a6f852..a5b473bfb28 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,6 +1,7 @@ title: Active Directory User Backdoors id: 300bac00-e041-4ee2-9c36-e262656a6ecc description: Detects scenarios where one can control another users or computers account without having to use their credentials. +status: experimental references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx - https://adsecurity.org/?p=3466 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index b1728cb41c0..4ec2fce0f78 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,7 @@ title: Weak Encryption Enabled and Kerberoast id: f6de9536-0441-4b3f-a646-f4e00f300ffd description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. +status: experimental references: - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 522a9f0a88b..8e23f86f3bd 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,6 +1,7 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/08/26 diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index 4702434c2b9..071c5770577 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -1,6 +1,7 @@ title: Hacktool Ruler id: 24549159-ac1b-479c-8175-d42aea947cae description: This events that are generated when using the hacktool Ruler by Sensepost +status: experimental author: Florian Roth date: 2017/05/31 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index b82692a58ab..3817449da75 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -1,6 +1,7 @@ title: Turla Service Install id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET +status: experimental references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ tags: diff --git a/rules/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/win_apt_chafer_mar18_security.yml index 370db0c542c..b1b621bcfb6 100644 --- a/rules/windows/builtin/win_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/win_apt_chafer_mar18_security.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/win_apt_chafer_mar18_system.yml index c17e00d08b2..8eb58c4b5b2 100644 --- a/rules/windows/builtin/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/win_apt_chafer_mar18_system.yml @@ -1,6 +1,7 @@ title: Chafer Activity id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/builtin/win_apt_gallium.yml b/rules/windows/builtin/win_apt_gallium.yml index 06c9a76d3a4..810af5f569e 100644 --- a/rules/windows/builtin/win_apt_gallium.yml +++ b/rules/windows/builtin/win_apt_gallium.yml @@ -14,6 +14,7 @@ references: tags: - attack.credential_access - attack.command_and_control + - attack.t1071 logsource: product: windows service: dns-server diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/win_apt_slingshot.yml index 520aa2e2300..4345b4aa26c 100644 --- a/rules/windows/builtin/win_apt_slingshot.yml +++ b/rules/windows/builtin/win_apt_slingshot.yml @@ -4,6 +4,7 @@ related: - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 type: derived description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +status: experimental author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2021/09/19 @@ -11,6 +12,7 @@ references: - https://securelist.com/apt-slingshot/84312/ tags: - attack.persistence + - attack.t1053 - attack.s0111 logsource: product: windows diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 1d61e8bfeb1..f0a829606fb 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -1,6 +1,7 @@ title: StoneDrill Service Install id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky +status: experimental author: Florian Roth date: 2017/03/07 references: diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index c5207982920..f8a5038a14c 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -1,6 +1,7 @@ title: Turla PNG Dropper Service id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 +status: experimental references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ author: Florian Roth diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 8ba7965c48d..086feb2b25e 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -1,6 +1,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +status: experimental author: Sreeman date: 2020/03/13 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index c0f68564f6a..b9d3949011a 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -1,6 +1,7 @@ title: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index da2e8dce957..a7a05dbb716 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -1,9 +1,10 @@ title: Relevant Anti-Virus Event id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events +status: experimental author: Florian Roth date: 2017/02/19 -modified: 2021/07/28 +modified: 2021/11/20 logsource: product: windows service: application @@ -32,6 +33,7 @@ detection: filter: - "Keygen" - "Crack" + - "wincredui" condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 6dbf836f015..3e43af17a1f 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,6 +1,7 @@ title: CobaltStrike Service Installations id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +status: experimental author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index e1ea29ef173..bad6fabb151 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,6 +1,7 @@ title: Disabling Windows Event Auditing id: 69aeb277-f15f-4d2d-b32a-55e883609563 description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' +status: experimental references: - https://bit.ly/WinLogsZero2Hero tags: diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 72ac6b83888..90bdfa6c084 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -12,6 +12,7 @@ date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution + - attack.t1569 - cve.2021.1675 logsource: product: windows diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 823418501f0..b10629f3ced 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -9,6 +9,7 @@ references: date: 2021/07/01 tags: - attack.execution + - attack.t1569 - cve.2021.1675 logsource: product: windows diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index 902544f908e..0820f80fb92 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -9,6 +9,7 @@ references: date: 2021/07/02 tags: - attack.execution + - attack.t1569 - cve.2021.1675 - cve.2021.34527 logsource: diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index c87885a4335..5bd709c7d7a 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -1,5 +1,6 @@ title: Enumeration via the Global Catalog description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. +status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml index 669bcdaa58e..7bfc0539a49 100644 --- a/rules/windows/builtin/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/win_gpo_scheduledtasks.yml @@ -1,6 +1,7 @@ title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 9a1d9139f93..17666ce7436 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -1,6 +1,7 @@ title: smbexec.py Service Installation id: 52a85084-6989-40c3-8f32-091e12e13f09 description: Detects the use of smbexec.py tool by detecting a specific service installation +status: experimental author: Omer Faruk Celik date: 2018/03/20 modified: 2020/08/23 diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml index 151ec7dde5d..7b2b0166dbf 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -7,6 +7,7 @@ modified: 2021/08/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index de445a56abf..12ed9a6da88 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -6,6 +6,7 @@ date: 2021/04/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/builtin/win_impacket_psexec.yml b/rules/windows/builtin/win_impacket_psexec.yml index bee036f2009..e8549aa8227 100644 --- a/rules/windows/builtin/win_impacket_psexec.yml +++ b/rules/windows/builtin/win_impacket_psexec.yml @@ -1,6 +1,7 @@ title: Impacket PsExec Execution id: 32d56ea1-417f-44ff-822b-882873f5f43b description: Detects execution of Impacket's psexec.py. +status: experimental author: Bhabesh Raj date: 2020/12/14 references: diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 7706d4ee147..5117535db68 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -1,6 +1,7 @@ title: Possible Impacket SecretDump Remote Activity id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL +status: experimental author: Samir Bousseaden, wagga date: 2019/04/03 modified: 2021/06/27 diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/win_iso_mount.yml index 40796d9e7bd..1e9b3836f77 100644 --- a/rules/windows/builtin/win_iso_mount.yml +++ b/rules/windows/builtin/win_iso_mount.yml @@ -3,6 +3,7 @@ id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 description: Detects the mount of ISO images on an endpoint status: experimental date: 2021/05/29 +modified: 2021/11/20 author: Syed Hasan (@syedhasan009) references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore @@ -21,7 +22,9 @@ detection: ObjectServer: 'Security' ObjectType: 'File' ObjectName: '\Device\CdRom*' - condition: selection + filter: + ObjectName: '\Device\CdRom0\setup.exe' + condition: selection and not filter falsepositives: - Software installation ISO files level: medium diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 8cf5bd1fef1..df3a8718198 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,6 +1,7 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index e7dd86a02eb..b2a16a3afcf 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,6 +1,7 @@ title: Credential Dumping Tools Service Execution id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index d2b256786f7..7e66523c304 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -1,5 +1,6 @@ title: Metasploit SMB Authentication description: Alerts on Metasploit host's authentications on the domain. +status: experimental id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 3ce6bc05d36..cc967c73ce6 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,6 +1,7 @@ title: Meterpreter or Cobalt Strike Getsystem Service Installation id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 190dc1057a2..a25b0ce0c4d 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,6 +1,7 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +status: experimental author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' date: 2020/03/04 modified: 2020/08/23 diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index e0d1ad8d748..5fc1af96f9a 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -4,6 +4,7 @@ related: - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 type: derived description: Detects NetNTLM downgrade attack +status: experimental references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/win_ntfs_vuln_exploit.yml index 060a8262c29..ae03199f20b 100644 --- a/rules/windows/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml @@ -1,8 +1,10 @@ title: NTFS Vulnerability Exploitation id: f14719ce-d3ab-4e25-9ce6-2899092260b0 description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter +status: experimental author: Florian Roth date: 2021/01/11 +modified: 2021/11/17 references: - https://twitter.com/jonasLyk/status/1347900440000811010 - https://twitter.com/wdormann/status/1347958161609809921 @@ -11,6 +13,7 @@ logsource: service: system detection: selection: + Provider_Name: Ntfs EventID: 55 Origin: 'File System Driver' Description|contains|all: diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml index ca5ff7c2447..f6966cf1022 100644 --- a/rules/windows/builtin/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -1,6 +1,7 @@ title: Possible PetitPotam Coerce Authentication Attempt id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 description: Detect PetitPotam coerced authentication activity. +status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 references: diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml index 0ae4cb94b63..7898c30c01a 100644 --- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -7,6 +7,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. +status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 modified: 2021/09/07 diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 49ec4613637..b19f45340ab 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -1,6 +1,7 @@ title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln id: 8400629e-79a9-4737-b387-5db940ab2367 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep +status: experimental references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index e83eeec7e9f..90139b0700d 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -9,6 +9,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html tags: - attack.discovery + - attack.t1010 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml index 859a9d20802..4aa03bf6f5e 100644 --- a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml @@ -4,6 +4,7 @@ related: - id: 5a105d34-05fc-401e-8553-272b45c1522d type: derived description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +status: experimental author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/win_security_mal_creddumper.yml index d6d823e61a0..d311d40f970 100644 --- a/rules/windows/builtin/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/win_security_mal_creddumper.yml @@ -4,6 +4,7 @@ related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed type: derived description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_security_mal_service_installs.yml b/rules/windows/builtin/win_security_mal_service_installs.yml index 9071ed8d30e..3f798a69289 100644 --- a/rules/windows/builtin/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/win_security_mal_service_installs.yml @@ -4,6 +4,7 @@ related: - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a type: derived description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. +status: experimental author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index e76b4c2eb89..e73ae86d4df 100644 --- a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -4,6 +4,7 @@ related: - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 type: derived description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +status: experimental author: Bartlomiej Czyz, Relativity date: 2021/01/21 modified: 2021/07/23 diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 6fd722d3e5c..17df9ffedba 100644 --- a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -4,6 +4,7 @@ related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_add_domain_trust.yml b/rules/windows/builtin/win_susp_add_domain_trust.yml index 4a2115b0e7f..fdf8a276864 100644 --- a/rules/windows/builtin/win_susp_add_domain_trust.yml +++ b/rules/windows/builtin/win_susp_add_domain_trust.yml @@ -6,6 +6,7 @@ author: Thomas Patzke date: 2019/12/03 tags: - attack.persistence + - attack.t1098 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 17d5e4b9654..310044b97bb 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -4,6 +4,7 @@ related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 type: obsoletes description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +status: experimental references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index c5b66905d4c..7bb60a5bdc7 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -2,6 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons id: 9eb99343-d336-4020-a3cd-67f3819e68ee description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +status: experimental author: Florian Roth date: 2017/02/19 modified: 2021/10/29 diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/win_susp_failed_logon_source.yml index f522ea5eddd..05d2a5b6d4e 100644 --- a/rules/windows/builtin/win_susp_failed_logon_source.yml +++ b/rules/windows/builtin/win_susp_failed_logon_source.yml @@ -1,6 +1,7 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 description: A login from a public IP can indicate a misconfigured firewall or network boundary. +status: experimental author: NVISO date: 2020/05/06 tags: diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml index 95efe7d803b..8a9e41c6791 100644 --- a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -1,6 +1,7 @@ title: Multiple Users Attempting To Authenticate Using Explicit Credentials id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml index f6f8ce856d1..79360110034 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_process.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml @@ -1,6 +1,7 @@ title: Multiple Users Failing to Authenticate from Single Process id: fe563ab6-ded4-4916-b49f-a3a8445fe280 description: Detects failed logins with multiple accounts from a single process on the system. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index e3e971c537c..3070617f240 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,6 +1,7 @@ title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml index 9a85a45b38a..2ecadc8de15 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml @@ -4,6 +4,7 @@ related: - id: e98374a6-e2d9-4076-9b5c-11bdb2569995 type: derived description: Detects suspicious failed logins with different user accounts from a single source system +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml index 71c939ef058..6f196b4bd4e 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -1,6 +1,7 @@ title: Valid Users Failing to Authenticate From Single Source Using Kerberos id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 1d45f289e9a..514d19b8a7b 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -1,6 +1,7 @@ title: Disabled Users Failing To Authenticate From Source Using Kerberos id: 4b6fe998-b69c-46d8-901b-13677c9fb663 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 98f6e1d7cab..c291444a93d 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -1,6 +1,7 @@ title: Invalid Users Failing To Authenticate From Source Using Kerberos id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml index 7932c0fecd5..f7cde74cc23 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -1,6 +1,7 @@ title: Valid Users Failing to Authenticate from Single Source Using NTLM id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml index 05f5742a13c..7ccd33f7cf3 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -1,6 +1,7 @@ title: Invalid Users Failing To Authenticate From Single Source Using NTLM id: 56d62ef8-3462-4890-9859-7b41e541f8d5 description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml index c7905c43bc1..960b853af57 100644 --- a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml @@ -1,6 +1,7 @@ title: Multiple Users Remotely Failing To Authenticate From Single Source id: add2ef8d-dc91-4002-9e7e-f2702369f53a description: Detects a source system failing to authenticate against a remote host with multiple users. +status: experimental author: Mauricio Velazco references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml index ef684633d21..b3238bfb3ab 100644 --- a/rules/windows/builtin/win_susp_interactive_logons.yml +++ b/rules/windows/builtin/win_susp_interactive_logons.yml @@ -1,6 +1,7 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf description: Detects interactive console logons to Server Systems +status: experimental author: Florian Roth date: 2017/03/17 tags: diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 0edd7c6795c..dcca0e261cb 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,6 +1,7 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +status: experimental author: Florian Roth date: 2017/02/10 tags: diff --git a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml index 6304043ad8f..0bc1a547ab9 100644 --- a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,7 +1,7 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -status: experimental description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). +status: experimental tags: - attack.impact - attack.t1486 diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml index e67638118f3..aa59623eb65 100644 --- a/rules/windows/builtin/win_susp_proceshacker.yml +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -1,6 +1,7 @@ title: ProcessHacker Privilege Elevation id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 description: Detects a ProcessHacker tool that elevated privileges to a very high level +status: experimental references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index f64f235f7c3..f82a1ee68ce 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,6 +1,7 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index cb04f62af2b..61b204cabda 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -1,6 +1,7 @@ title: Suspicious Access to Sensitive File Extensions id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions accessed on a network share +status: experimental author: Samir Bousseaden date: 2019/04/03 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index e1b6cc39ed1..0eeed1c103f 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -2,6 +2,7 @@ title: Possible Remote Password Change Through SAMR id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. +status: experimental author: Dimitrios Slamaris date: 2017/06/09 tags: diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index be19e9ffbcd..9ca27223a2c 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -1,6 +1,7 @@ title: Remote Service Activity via SVCCTL Named Pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 description: Detects remote service activity via remote access to the svcctl named pipe +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml index be029b51aa4..e5be5a61d4b 100644 --- a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml @@ -6,6 +6,7 @@ related: - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 type: derived description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +status: experimental references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 693ad831f72..b611a04cdfc 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -1,6 +1,7 @@ title: Transferring Files with Credential Data via Network Shares id: 910ab938-668b-401b-b08c-b596e80fdca5 description: Transferring files with well-known filenames (sensitive files with credential data) using network shares +status: experimental author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 references: @@ -30,4 +31,3 @@ detection: falsepositives: - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -status: experimental diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/win_vul_cve_2020_1472.yml index 7210bd7edf2..bff52b97edf 100644 --- a/rules/windows/builtin/win_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/win_vul_cve_2020_1472.yml @@ -9,6 +9,7 @@ date: 2020/09/15 modified: 2021/08/09 tags: - attack.privilege_escalation + - attack.t1548 logsource: product: windows service: system diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index 92242bd3817..801cf3167d6 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -13,7 +13,7 @@ tags: - car.2019-04-004 author: Sherif Eldeeb date: 2017/10/18 -modified: 2021/06/21 +modified: 2021/11/17 logsource: product: windows category: process_access @@ -23,7 +23,10 @@ detection: GrantedAccess: - '0x1410' - '0x1010' - condition: selection + filter: + SourceImage|startswith: 'C:\Program Files\WindowsApps\' + SourceImage|endswith: '\GamingServices.exe' + condition: selection and not filter fields: - ComputerName - User diff --git a/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml index cd02807d267..fd8ae4cfef3 100644 --- a/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml @@ -7,6 +7,7 @@ modified: 2021/06/10 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 3803a731376..2817cc60043 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -4,6 +4,7 @@ related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed type: derived description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/11/10 diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index b45519cbe39..9593302ff13 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -4,6 +4,7 @@ related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 083b9f7f596..e61045ae8a7 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -1,6 +1,7 @@ title: Suspicious Driver Load from Temp id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 description: Detects a driver load from a temporary directory +status: experimental author: Florian Roth date: 2017/02/12 modified: 2020/08/23 diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 1e361bd9b1d..000b6adfab0 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -1,6 +1,7 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 +status: experimental author: Florian Roth date: 2021/05/05 references: @@ -11,6 +12,7 @@ logsource: tags: - attack.privilege_escalation - cve.2021.21551 + - attack.t1543 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_event/file_event_hktl_createminidump.yml b/rules/windows/file_event/file_event_hktl_createminidump.yml index 35b0c8cec5e..1aae4f62eb4 100644 --- a/rules/windows/file_event/file_event_hktl_createminidump.yml +++ b/rules/windows/file_event/file_event_hktl_createminidump.yml @@ -1,5 +1,6 @@ title: CreateMiniDump Hacktool id: db2110f3-479d-42a6-94fb-d35bc1e46492 +status: deprecated related: - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d type: derived diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml new file mode 100644 index 00000000000..ed105ff68b8 --- /dev/null +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -0,0 +1,33 @@ +title: LSASS Process Memory Dump Files +id: a5a2d357-1ab8-4675-a967-ef9990a59391 +related: + - id: db2110f3-479d-42a6-94fb-d35bc1e46492 + type: obsoletes +description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials +status: experimental +author: Florian Roth +references: + - https://www.google.com/search?q=procdump+lsass +date: 2021/11/15 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one +logsource: + product: windows + category: file_event +detection: + selection1: + TargetFilename|endswith: + - '\lsass.dmp' + - '\lsass.zip' + - '\lsass.rar' + selection2: + TargetFilename|contains: + - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - '\lsassdump' + - '\lsassdmp' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml new file mode 100644 index 00000000000..1204a2901de --- /dev/null +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -0,0 +1,26 @@ +title: Suspicious Scheduled Task Writ to System32 Tasks +id: 80e1f67a-4596-4351-98f5-a9c3efabac95 +status: experimental +description: +references: + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ +author: Florian Roth +date: 2021/11/16 +tags: + - attack.persistence + - attack.execution + - attack.t1053 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\Windows\System32\Tasks' + Image|contains: + - '\AppData\' + - 'C:\PerfLogs' + - '\Windows\System32\config\systemprofile' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml index 00e042acecc..bb2d14f7009 100644 --- a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Dropped File id: 130c9e58-28ac-4f83-8574-0a4cc913b97e description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index 97fa03b0c1a..7cc42eda446 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -1,17 +1,23 @@ title: Suspcious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -description: Detects suspicious .NET assembly executions +description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ + - https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml date: 2020/10/12 +modified: 2021/11/17 tags: - attack.execution + - attack.defense_evasion - attack.t1059.001 + - attack.t1218 status: experimental -author: omkar72, oscd.community +author: omkar72, oscd.community, Wojciech Lesicki logsource: category: file_event product: windows + definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden detection: selection: TargetFilename|contains|all: @@ -23,7 +29,9 @@ detection: - 'wscript' - 'regsvr32' - 'wmic' + - 'rundll32' + - 'svchost' condition: selection falsepositives: - - Unknown + - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process level: high diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 25264ba5007..47b70d21109 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -13,6 +13,8 @@ modified: 2021/07/01 tags: - attack.execution - attack.privilege_escalation + - attack.resource_development + - attack.t1587 - cve.2021.1675 logsource: category: file_event diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 1787a6c1a86..3da25ade89d 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -1,7 +1,7 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -status: experimental description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 +status: experimental references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 @@ -27,3 +27,6 @@ fields: falsepositives: - unknown level: critical +tags: + - attack.resource_development + - attack.t1587 diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index 806fee1fb62..f6b55d6166e 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -12,6 +12,7 @@ date: 2019/10/22 modified: 2021/10/04 tags: - attack.command_and_control + - attack.t1071 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml index 81bbdf87c8e..f982cb390dc 100644 --- a/rules/windows/image_load/sysmon_foggyweb_nobelium.yml +++ b/rules/windows/image_load/sysmon_foggyweb_nobelium.yml @@ -16,3 +16,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.resource_development + - attack.t1587 diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index 771952fe714..b32e11ac3c5 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -3,6 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 +modified: 2021/11/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -17,7 +18,9 @@ detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' filter: - Image|endswith: '\WmiPrvSE.exe' + Image|endswith: + - '\WmiPrvSE.exe' + - '\mmc.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 68b9041f4b3..022931277ed 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,9 +1,7 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump - API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and - transfer it over the network back to the attacker's machine. +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 modified: 2020/08/23 author: Perez Diego (@darkquassar), oscd.community, Ecco @@ -26,7 +24,7 @@ detection: Image|endswith: - '\msbuild.exe' - '\cmd.exe' - - '\svchost.exe' + # - '\svchost.exe' - '\rundll32.exe' - '\powershell.exe' - '\word.exe' @@ -35,7 +33,7 @@ detection: - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - '\bash.exe' - '\wscript.exe' - '\cscript.exe' @@ -50,10 +48,10 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: "FALSE" - filter: + Signed: 'FALSE' + filter1: Image|contains: 'Visual Studio' - condition: (signedprocess and not filter) or (unsignedprocess and not filter) + condition: (signedprocess and not filter1) or (unsignedprocess and not filter1) fields: - ComputerName - User diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index ae9420ad844..27c50cff0ff 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,6 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 +modified: 2021/11/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -23,7 +24,11 @@ detection: - OriginalFileName: - 'credui.dll' - 'wincredui.dll' - condition: selection + filter: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\explorer.exe' + condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 57d3ade28a3..631c40f992e 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/08/18 +modified: 2021/11/20 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -38,7 +38,18 @@ detection: - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 - condition: selection and not filter + - 'C:\Windows\Sysmon64.exe' + - 'C:\Windows\Sysmon.exe' + - 'C:\Windows\System32\wbem\unsecapp.exe' + - '\logman.exe' + - '\systeminfo.exe' + - '\nvcontainer.exe' + - 'C:\Windows\System32\wbem\WMIC.exe' + filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter and not filter_generic fields: - ComputerName - User @@ -46,5 +57,5 @@ fields: - ImageLoaded falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml index 953e556e866..5bf954a9b7e 100644 --- a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml +++ b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml @@ -3,6 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 +modified: 2021/11/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -32,6 +33,8 @@ detection: respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' + filter: + CommandLine|endswith: '\svchost.exe -k netsvcs -p -s BITS' condition: (request_client and not filter_ps) or respond_server falsepositives: - Unknown diff --git a/rules/windows/image_load/win_susp_svchost_clfsw32.yml b/rules/windows/image_load/win_susp_svchost_clfsw32.yml index 2a58dabcdc7..ae9008a4471 100644 --- a/rules/windows/image_load/win_susp_svchost_clfsw32.yml +++ b/rules/windows/image_load/win_susp_svchost_clfsw32.yml @@ -17,3 +17,7 @@ detection: falsepositives: - Rarely observed level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 94ec45d72f6..eed62316323 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,6 +1,7 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 description: Detects a highly relevant Antivirus alert that reports an exploitation framework +status: experimental date: 2018/09/09 modified: 2019/01/16 author: Florian Roth diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml index e074241ffe0..8aecae9eeab 100644 --- a/rules/windows/malware/av_hacktool.yml +++ b/rules/windows/malware/av_hacktool.yml @@ -1,6 +1,7 @@ title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool +status: experimental date: 2021/08/16 author: Florian Roth references: @@ -24,4 +25,5 @@ falsepositives: - Unlikely level: high tags: - - attack.execution \ No newline at end of file + - attack.execution + - attack.t1204 diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index dc75de349e7..34a4314f7b7 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -1,6 +1,7 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 description: Detects a highly relevant Antivirus alert that reports a password dumper +status: experimental date: 2018/09/09 modified: 2019/10/04 author: Florian Roth diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index fb82c3138c7..0f2b3ace894 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -1,6 +1,7 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name +status: experimental date: 2018/09/09 modified: 2021/05/09 author: Florian Roth, Arnim Rupp diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 39960e1d2c5..4f0a63aaafd 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,6 +1,7 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. +status: experimental date: 2018/09/09 modified: 2021/05/08 author: Florian Roth, Arnim Rupp diff --git a/rules/windows/network_connection/win_net_crypto_mining.yml b/rules/windows/network_connection/win_net_crypto_mining.yml index 3ec3eb2f559..10fbd6fe1c7 100644 --- a/rules/windows/network_connection/win_net_crypto_mining.yml +++ b/rules/windows/network_connection/win_net_crypto_mining.yml @@ -38,3 +38,6 @@ detection: falsepositives: - Legitimate use of crypto miners level: high +tags: + - attack.impact + - attack.t1496 \ No newline at end of file diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index d14592fbc5c..d4fd592a30d 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -1,6 +1,7 @@ title: Windows Defender Exclusion Set id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' +status: experimental references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ tags: diff --git a/rules/windows/other/win_exchange_cve_2021_42321.yml b/rules/windows/other/win_exchange_cve_2021_42321.yml new file mode 100644 index 00000000000..f717cef1045 --- /dev/null +++ b/rules/windows/other/win_exchange_cve_2021_42321.yml @@ -0,0 +1,22 @@ +title: Possible Exploitation of Exchange RCE CVE-2021-42321 +id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb +status: experimental +description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 +references: + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 +author: 'Florian Roth, @testanull' +date: 2021/11/18 +logsource: + product: windows + service: msexchange-management +detection: + EventID: 6 + keywords: + - 'Cmdlet failed. Cmdlet Get-App, ' + condition: keywords +falsepositives: + - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues +level: critical +tags: + - attack.lateral_movement + - attack.t1210 \ No newline at end of file diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 66e600c1d4e..a8dea10d8c4 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -4,9 +4,12 @@ status: experimental description: Detects a named pipe used by Turla group samples references: - Internal Research + - https://attack.mitre.org/groups/G0010/ date: 2017/11/06 tags: - attack.g0010 + - attack.execution + - attack.t1106 author: Markus Neis logsource: product: windows diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index 87933c08aea..20ee7ade714 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -7,13 +7,16 @@ references: date: 2021/09/01 author: Florian Roth logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection: - Image|endswith: '\scrcons.exe' - condition: selection + selection: + Image|endswith: '\scrcons.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.t1047 + - attack.execution \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml index 50adcdf3ccc..11dae35ce1d 100644 --- a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -6,6 +6,7 @@ related: - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml index 5ad5d0275de..4b0d42d1cf5 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml @@ -20,3 +20,4 @@ falsepositives: level: high tags: - attack.privilege_escalation + - attack.t1548 diff --git a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml index 3c53354ebcd..c1b7275ad96 100644 --- a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml @@ -1,6 +1,7 @@ title: Change PowerShell Policies to a Unsecure Level id: 61d0475c-173f-4844-86f7-f3eebae1c66b description: Detects use of Set-ExecutionPolicy to set a unsecure policies +status: experimental references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml index 7dfbaa60867..49bfae4aba4 100644 --- a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -6,6 +6,7 @@ related: - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index db49416564e..a245cab0b2d 100644 --- a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -6,23 +6,24 @@ author: Austin Songer @austinsonger date: 2021/10/12 modified: 2021/10/16 references: -- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps -- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell -- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- http://woshub.com/manage-windows-firewall-powershell/ + - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps + - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell + - http://powershellhelp.space/commands/set-netfirewallrule-psv5.php + - http://woshub.com/manage-windows-firewall-powershell/ logsource: - product: windows - category: ps_script + product: windows + category: ps_script detection: - selection: - ScriptBlockText|contains|all: - - Set-NetFirewallProfile - - -Profile - - -Enabled - - 'False' - condition: selection + selection: + ScriptBlockText|contains|all: + - Set-NetFirewallProfile + - -Profile + - -Enabled + - 'False' + condition: selection tags: -- attack.defense_evasion + - attack.defense_evasion + - attack.t1562.004 level: high falsepositives: -- Unknown + - Unknown diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index e4c5cea6a9d..c505085c86c 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/10/20 +modified: 2021/11/20 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -23,7 +23,7 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - GrantedAccess|contains: + GrantedAccess|startswith: - '0x40' - '0x1000' - '0x1400' @@ -37,7 +37,7 @@ detection: - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' - filter: + filter1: SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts - '\wmiprvse.exe' - '\taskmgr.exe' @@ -48,7 +48,18 @@ detection: - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' - condition: selection and not filter + filter2: + GrantedAccess: + - '0x1000' + - '0x1410' + SourceImage|endswith: + - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - 'C:\Windows\System32\svchost.exe' + - '\aurora-agent.exe' + - '\aurora-agent-64.exe' + - 'C:\WINDOWS\system32\taskhostw.exe' + condition: selection and not filter1 and not filter2 fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 8455bfee9fd..8ab2c624896 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -1,13 +1,9 @@ title: Suspicious In-Memory Module Execution id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity - C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" - as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such - few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain - routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. +description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2021/10/21 +modified: 2021/11/20 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -46,6 +42,11 @@ detection: filter: SourceImage|endswith: - '\Windows\System32\sdiagnhost.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\Microsoft VS Code\Code.exe' + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' condition: selection1 or selection2 or selection3 and not filter fields: - ComputerName @@ -53,6 +54,6 @@ fields: - SourceImage - TargetImage - CallTrace -level: critical +level: high falsepositives: - - Low + - SysInternals Process Explorer diff --git a/rules/windows/process_access/sysmon_svchost_cred_dump.yml b/rules/windows/process_access/sysmon_svchost_cred_dump.yml index f8d2863540c..abfab2e5243 100644 --- a/rules/windows/process_access/sysmon_svchost_cred_dump.yml +++ b/rules/windows/process_access/sysmon_svchost_cred_dump.yml @@ -1,6 +1,7 @@ title: SVCHOST Credential Dump id: 174afcfa-6e40-4ae9-af64-496546389294 description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials +status: experimental date: 2021/04/30 author: Florent Labouyrie logsource: diff --git a/rules/windows/process_creation/process_creation_apt_gallium.yml b/rules/windows/process_creation/process_creation_apt_gallium.yml index ba369fe5586..15cb6e19ecd 100644 --- a/rules/windows/process_creation/process_creation_apt_gallium.yml +++ b/rules/windows/process_creation/process_creation_apt_gallium.yml @@ -13,7 +13,9 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access + - attack.t1212 - attack.command_and_control + - attack.t1071 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml b/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml index 20aa889b9a8..eeb3dbded19 100644 --- a/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml +++ b/rules/windows/process_creation/process_creation_apt_gallium_sha1.yml @@ -10,7 +10,9 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access + - attack.t1212 - attack.command_and_control + - attack.t1071 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/process_creation_apt_slingshot.yml b/rules/windows/process_creation/process_creation_apt_slingshot.yml index b726d27be9a..6e04b4af001 100755 --- a/rules/windows/process_creation/process_creation_apt_slingshot.yml +++ b/rules/windows/process_creation/process_creation_apt_slingshot.yml @@ -1,6 +1,7 @@ title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +status: experimental author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2021/09/19 @@ -8,6 +9,7 @@ references: - https://securelist.com/apt-slingshot/84312/ tags: - attack.persistence + - attack.t1053.005 - attack.s0111 logsource: category: process_creation diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml index 2b141c5d47f..2e18a0f1526 100644 --- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -10,6 +10,7 @@ references: - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 tags: - attack.collection + - attack.t1005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml index 6e9c71ef51a..6d8556cff2c 100644 --- a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -5,6 +5,7 @@ related: type: derived description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index f4b181354e5..6acf0e58f1a 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -1,6 +1,7 @@ title: Windows Credential Editor id: 7aa7009a-28b9-4344-8c1f-159489a390df description: Detects the use of Windows Credential Editor (WCE) +status: experimental author: Florian Roth references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ diff --git a/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml similarity index 98% rename from rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml rename to rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 39d28e4af8b..63c8dd1b81e 100644 --- a/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 770ad56b14c..20c216949d0 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -1,6 +1,7 @@ title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. +status: experimental references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index 248e3d65296..f13e874d2e9 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -1,6 +1,7 @@ title: Judgement Panda Credential Access Activity id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike +status: experimental references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 8c6538e1861..b277ea9d7bd 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -1,6 +1,7 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f description: Detects suspicious file execution by wscript and cscript +status: experimental author: Florian Roth date: 2017/04/07 references: diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml index 78c99ce9237..dc72a1aa71a 100755 --- a/rules/windows/process_creation/win_apt_dragonfly.yml +++ b/rules/windows/process_creation/win_apt_dragonfly.yml @@ -4,8 +4,13 @@ description: Detects CrackMapExecWin Activity as Described by NCSC status: experimental references: - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control + - https://attack.mitre.org/software/S0488/ tags: - attack.g0035 + - attack.credential_access + - attack.discovery + - attack.t1110 + - attack.t1087 author: Markus Neis date: 2018/04/08 logsource: diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 93b94f14790..5ced1c0761f 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -1,6 +1,7 @@ title: Empire Monkey id: 10152a7b-b566-438f-a33c-390b607d1c8d description: Detects EmpireMonkey APT reported Activity +status: experimental references: - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b tags: diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 78748faa44c..92aa1e5081f 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -4,6 +4,7 @@ author: Florian Roth date: 2019/03/04 modified: 2020/08/27 description: Detects a specific tool and export used by EquationGroup +status: experimental references: - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://securelist.com/apt-slingshot/84312/ diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index c1fb93db55b..0eb8742d996 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -1,6 +1,7 @@ title: Judgement Panda Exfil Activity id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike +status: experimental references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml index c100e1b9288..2acce96ce4d 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -6,6 +6,8 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ tags: - attack.g0032 + - attack.execution + - attack.t1106 author: Bhabesh Raj date: 2021/04/20 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml index 9843b81e5f4..6b5fcccafeb 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml @@ -7,6 +7,8 @@ references: - https://www.hvs-consulting.de/lazarus-report/ tags: - attack.g0032 + - attack.execution + - attack.t1059 author: Florian Roth date: 2020/12/23 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_lazarus_loader.yml b/rules/windows/process_creation/win_apt_lazarus_loader.yml index df3df1a4d7f..3bd666a9f68 100644 --- a/rules/windows/process_creation/win_apt_lazarus_loader.yml +++ b/rules/windows/process_creation/win_apt_lazarus_loader.yml @@ -7,6 +7,8 @@ references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ tags: - attack.g0032 + - attack.execution + - attack.t1059 author: Florian Roth, wagga date: 2020/12/23 modified: 2021/06/27 diff --git a/rules/windows/process_creation/win_apt_revil_kaseya.yml b/rules/windows/process_creation/win_apt_revil_kaseya.yml index b3f6cab3af4..4bb406fed9c 100644 --- a/rules/windows/process_creation/win_apt_revil_kaseya.yml +++ b/rules/windows/process_creation/win_apt_revil_kaseya.yml @@ -13,6 +13,7 @@ date: 2021/07/03 modified: 2021/07/05 tags: - attack.execution + - attack.t1059 - attack.g0115 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index 1fa44f000a9..56823a59e64 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -1,6 +1,7 @@ title: Ps.exe Renamed SysInternals Tool id: 18da1007-3f26-470f-875d-f77faf1cab31 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report +status: experimental references: - https://www.us-cert.gov/ncas/alerts/TA17-293A tags: diff --git a/rules/windows/process_creation/win_apt_ta505_dropper.yml b/rules/windows/process_creation/win_apt_ta505_dropper.yml index d90e4159459..9eda6bd1407 100644 --- a/rules/windows/process_creation/win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/win_apt_ta505_dropper.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.g0092 + - attack.t1106 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 5575f09f436..27dc40646c8 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -1,6 +1,7 @@ title: UNC2452 PowerShell Pattern id: b7155193-8a81-4d8f-805d-88de864ca50c description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +status: experimental references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 515d541e791..9aeb6d8c3c0 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -1,6 +1,7 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name +status: experimental author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2017/07/20 modified: 2020/08/26 diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml index c36cf801643..894add39590 100644 --- a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -10,6 +10,7 @@ date: 2021/07/27 modified: 2021/08/30 tags: - attack.execution + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_crypto_mining_monero.yml b/rules/windows/process_creation/win_crypto_mining_monero.yml index d4bade38017..4db11b0937f 100644 --- a/rules/windows/process_creation/win_crypto_mining_monero.yml +++ b/rules/windows/process_creation/win_crypto_mining_monero.yml @@ -10,27 +10,30 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains: - - ' --cpu-priority=' - - '--donate-level=0' - - ' -o pool.' - - ' --nicehash' - - ' --algo=rx/0 ' - - 'stratum+tcp://' - - 'stratum+udp://' - # base64 encoded: --donate-level= - - 'LS1kb25hdGUtbGV2ZWw9' - - '0tZG9uYXRlLWxldmVsP' - - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// - - 'c3RyYXR1bSt0Y3A6Ly' - - 'N0cmF0dW0rdGNwOi8v' - - 'zdHJhdHVtK3RjcDovL' - - 'c3RyYXR1bSt1ZHA6Ly' - - 'N0cmF0dW0rdWRwOi8v' - - 'zdHJhdHVtK3VkcDovL' - condition: selection + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection falsepositives: - - Legitimate use of crypto miners + - Legitimate use of crypto miners level: high +tags: + - attack.impact + - attack.t1496 \ No newline at end of file diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 03801e753dd..7d6cd971e81 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,6 +1,7 @@ title: Exploit for CVE-2017-8759 id: fdd84c68-a1f6-47c9-9477-920584f94905 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 +status: experimental references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 diff --git a/rules/windows/process_creation/win_hack_adcspwn.yml b/rules/windows/process_creation/win_hack_adcspwn.yml index fcaa5c41b2c..c1ad6a2182d 100644 --- a/rules/windows/process_creation/win_hack_adcspwn.yml +++ b/rules/windows/process_creation/win_hack_adcspwn.yml @@ -1,6 +1,7 @@ title: ADCSPwn Hack Tool id: cd8c163e-a19b-402e-bdd5-419ff5859f12 description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +status: experimental author: Florian Roth references: - https://github.com/bats3c/ADCSPwn diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 27501397b41..800a2ae7a63 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -1,6 +1,7 @@ title: Bloodhound and Sharphound Hack Tool id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 description: Detects command line parameters used by Bloodhound and Sharphound hack tools +status: experimental author: Florian Roth references: - https://github.com/BloodHoundAD/BloodHound diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 4ce04049b2f..b0f6bb699bb 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -1,6 +1,7 @@ title: Rubeus Hack Tool id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 description: Detects command line parameters used by Rubeus hack tool +status: experimental author: Florian Roth references: - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d8899df42ab..8b29ea34bff 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -1,6 +1,7 @@ title: SecurityXploded Tool id: 7679d464-4f74-45e2-9e01-ac66c5eb041a description: Detects the execution of SecurityXploded Tools +status: experimental author: Florian Roth references: - https://securityxploded.com/ diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 4c44ae87bb2..04c9f49ab00 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -1,6 +1,7 @@ title: Writing Of Malicious Files To The Fonts Folder id: ae9b0bd7-8888-4606-b444-0ed7410cb728 description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. +status: experimental references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ date: 2020/21/04 diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index c564592577a..ea76cc39efc 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -1,6 +1,7 @@ title: CreateMiniDump Hacktool id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine +status: experimental author: Florian Roth references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass diff --git a/rules/windows/process_creation/win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/win_malware_trickbot_wermgr.yml index 154bd0bd776..6ee77a5ca4b 100644 --- a/rules/windows/process_creation/win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/win_malware_trickbot_wermgr.yml @@ -9,6 +9,7 @@ author: Florian Roth date: 2020/11/26 tags: - attack.execution + - attack.t1559 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index cb775d8829d..f7fe4b4bfff 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -1,6 +1,7 @@ title: Meterpreter or Cobalt Strike Getsystem Service Start id: 15619216-e993-4721-b590-4c520615a67d description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/05/20 diff --git a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml index c5aa53dbd6a..01c24de683e 100644 --- a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml +++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml @@ -7,6 +7,7 @@ date: 2020/10/29 modified: 2021/07/15 tags: - attack.defense_evasion + - attack.t1197 references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml index c87f44d9ee4..45a278ba56c 100644 --- a/rules/windows/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -9,6 +9,8 @@ date: 2019/01/16 modified: 2021/06/13 tags: - car.2013-04-002 + - attack.execution + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml index 7bc3f6a2f6f..cf3fd63ce09 100644 --- a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -1,6 +1,7 @@ title: Change PowerShell Policies to a Unsecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 description: Detects use of executionpolicy option to set a unsecure policies +status: experimental references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml index 38d1e3c3ebf..6a00bbb648a 100644 --- a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml +++ b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -1,6 +1,7 @@ title: Suspicius Add Task From User AppData Temp id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 description: schtasks.exe create task from user AppData\Local\Temp +status: experimental references: - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 tags: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index a0125bc7d2f..2594a7efce9 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -1,6 +1,7 @@ title: PsExec Service Start id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 description: Detects a PsExec service start +status: experimental author: Florian Roth date: 2018/03/13 modified: 2012/12/11 diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 1106fcd3cd0..a9ca7e3e8b3 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Execute id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 5a140744e5d..bc5d7d4b276 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -9,6 +9,7 @@ date: 2019/10/22 modified: 2021/09/19 tags: - attack.command_and_control + - attack.t1071 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_sus_auditpol_usage.yml b/rules/windows/process_creation/win_sus_auditpol_usage.yml index e3ca336ed63..2eeba8dcf45 100644 --- a/rules/windows/process_creation/win_sus_auditpol_usage.yml +++ b/rules/windows/process_creation/win_sus_auditpol_usage.yml @@ -1,6 +1,7 @@ title: Suspicious Auditpol Usage id: 0a13e132-651d-11eb-ae93-0242ac130002 description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +status: experimental author: Janantha Marasinghe (https://github.com/blueteam0ps) references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 312b047b717..1d9edc2f7f3 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -25,4 +25,6 @@ detection: falsepositives: - Unknown level: critical - +tags: + - attack.execution + - attack.t1059 diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 0bd70927f25..cdc88f34e02 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,6 +1,7 @@ title: Suspicious Double Extension id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +status: experimental references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 diff --git a/rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml similarity index 66% rename from rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml rename to rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml index fa421ec9efe..f5e70dfcf26 100644 --- a/rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml +++ b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml @@ -1,11 +1,13 @@ title: Emotet RunDLL32 Process Creation id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9 -description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1 +description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL author: FPT.EagleEye status: experimental date: 2020/12/25 +modified: 2021/11/17 references: - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html + - https://cyber.wtf/2021/11/15/guess-whos-back/ tags: - attack.defense_evasion - attack.t1218.011 @@ -18,11 +20,17 @@ detection: - '\rundll32.exe' CommandLine|endswith: - ',RunDLL' + - ',Control_RunDLL' # - ',#1' too generic - function load by ordinal is not Emotet specific + filter_legitimate_dll: + CommandLine|endswith: + - '.dll,Control_RunDLL' + - '.dll",Control_RunDLL' + - ".dll',Control_RunDLL" filter_ide: ParentImage|endswith: - - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe - condition: selection and not filter_ide + - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe + condition: selection and not filter_ide and not filter_legitimate_dll falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 7046f941a10..92f50bd32cd 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,6 +1,7 @@ title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). +status: experimental author: Ecco, Daniil Yugoslavskiy, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index ed571e472f1..876bb1ce9f7 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -35,7 +35,6 @@ detection: - '\Windows\Media\' - '\Windows\repair\' - '\Windows\security\' - - '\Windows\system32\config\systemprofile\' - '\Windows\System32\Tasks\' - '\Windows\Tasks\' - Image|startswith: 'C:\Perflogs\' diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml index 87fd5ff3085..e82c9ff8bba 100644 --- a/rules/windows/process_creation/win_susp_finger_usage.yml +++ b/rules/windows/process_creation/win_susp_finger_usage.yml @@ -1,6 +1,7 @@ title: Finger.exe Suspicious Invocation id: af491bca-e752-4b44-9c86-df5680533dbc description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays +status: experimental author: Florian Roth, omkar72, oscd.community date: 2021/02/24 references: diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index 1b76d109115..ba4774fa580 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,6 +1,7 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). +status: experimental author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_susp_mshta_pattern.yml b/rules/windows/process_creation/win_susp_mshta_pattern.yml index 8291ef09585..83266600ca1 100644 --- a/rules/windows/process_creation/win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/win_susp_mshta_pattern.yml @@ -8,6 +8,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: - attack.execution + - attack.t1106 author: Florian Roth date: 2021/07/17 logsource: diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 9d9cf28628c..ea917bea46d 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -1,6 +1,7 @@ title: Ping Hex IP id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd description: Detects a ping command that uses a hex encoded IP address +status: experimental references: - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.can - https://twitter.com/vysecurity/status/977198418354491392 diff --git a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml index 6f1b91d870c..9e29faf2666 100644 --- a/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/windows/process_creation/win_susp_razorinstaller_explorer.yml @@ -10,6 +10,7 @@ date: 2021/08/23 modified: 2021/08/24 tags: - attack.privilege_escalation + - attack.t1553 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml index 4861f0dc732..b210e604558 100644 --- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -1,6 +1,7 @@ title: Regedit as Trusted Installer id: 883835a7-df45-43e4-bf1d-4268768afda4 description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +status: experimental references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 621d962a729..5fd6ffc94e7 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -9,6 +9,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: - attack.defense_evasion + - attack.t1574 - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index 54c431bb032..b4d3ceb3b30 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -22,5 +22,5 @@ falsepositives: - Unknown level: high tags: - - attack.lateral_movement - - attack.discovery \ No newline at end of file + - attack.resource_development + - attack.t1588.002 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 1a817b30f42..fa3b379c870 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -9,6 +9,7 @@ date: 2021/07/14 modified: 2021/11/11 tags: - attack.execution + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index c1a92be586f..7fbc22deac3 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -11,6 +11,7 @@ logsource: product: windows tags: - attack.credential_access + - attack.t1555 - cve.2021.35211 detection: selection: diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index dea91d765cf..de2b10c098f 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -7,6 +7,7 @@ references: - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b tags: - attack.execution + - attack.t1059 author: Florian Roth date: 2018/06/22 modified: 2018/12/11 diff --git a/rules/windows/process_creation/win_susp_winrar_execution.yml b/rules/windows/process_creation/win_susp_winrar_execution.yml new file mode 100644 index 00000000000..e2d6aa6b4f2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrar_execution.yml @@ -0,0 +1,28 @@ +title: Winrar Execution in Non-Standard Folder +id: 4ede543c-e098-43d9-a28f-dd784a13132f +status: experimental +description: Detects a suspicious winrar execution in a folder which is not the default installation folder +references: + - https://twitter.com/cyb3rops/status/1460978167628406785 +author: Florian Roth, Tigzy +date: 2021/11/17 +tags: + - attack.collection + - attack.t1560.001 + - attack.exfiltration # an old one + - attack.t1002 # an old one +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\rar.exe' + - '\winrar.exe' + - Description: 'Command line RAR' + filter: + Image|contains: '\WinRAR' + condition: selection and not filter +falsepositives: + - Legitimate use of WinRAR in a folder of a software that bundles WinRAR +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index c480fcbf797..58a758875c1 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/11/09 +modified: 2021/11/18 tags: - attack.command_and_control - attack.execution @@ -20,9 +20,14 @@ detection: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' + - '.dll' Image|endswith: - '\wuauclt.exe' - condition: selection + filter: + CommandLine|contains: + - ' /ClassId ' + - ' wuaueng.dll ' + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 03448ef3550..57908d8fbc4 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -1,6 +1,7 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +status: experimental author: Florian Roth date: 2019/01/16 modified: 2020/08/29 diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 09d43265660..5b06496a8bc 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -2,6 +2,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community +status: experimental references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 57389c082a7..bc8e5672451 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/11/09 +modified: 2021/11/20 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -32,7 +32,11 @@ detection: - '\vds.exe' - '\lsass.exe' - '\svchost.exe' - condition: not filter_1 and not filter_2 + - 'C:\Windows\System32\taskhostw.exe' + - 'C:\Windows\System32\SrTasks.exe' + filter_3: + ProcessId: 4 + condition: not filter_1 and not filter_2 and not filter_3 fields: - ComputerName - Image diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml index a1ee3e87448..7378e096c09 100644 --- a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index ab26594b2e7..8f5c2b1bf34 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -1,6 +1,7 @@ title: NetNTLM Downgrade Attack id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects NetNTLM downgrade attack +status: experimental references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga diff --git a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index 2ec90b7c1d0..5951458574c 100755 --- a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -2,6 +2,7 @@ title: Sticky Key Like Backdoor Usage id: baca5663-583c-45f9-b5dc-ea96a22ce542 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 52a4072ff45..b8788764875 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -11,7 +11,7 @@ tags: - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 -modified: 2021/11/11 +modified: 2021/11/20 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event @@ -191,7 +191,8 @@ detection: - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' filter: - Details: '(Empty)' + - Details: '(Empty)' + - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' condition: main_selection or session_manager_base and session_manager or current_version_base and current_version or diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index e3f50de162f..474dbecb65b 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -1,6 +1,7 @@ title: Windows Credential Editor Registry id: a6b33c02-8305-488f-8585-03cb2a7763f2 description: Detects the use of Windows Credential Editor (WCE) +status: experimental author: Florian Roth references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index 3563a2722aa..f9e53a3dc20 100644 --- a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -5,7 +5,8 @@ status: experimental date: 2021/04/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - - attack.persistence + - attack.resource_development + - attack.t1608 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml index 4a904157046..f14fcbfe086 100755 --- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml @@ -1,6 +1,7 @@ title: RDP Sensitive Settings Changed id: 171b67e1-74b4-460e-8d55-b331f3e32d67 description: Detects changes to RDP terminal service sensitive settings +status: experimental references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html date: 2019/04/03 diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml index e1a83679bf0..13b19284894 100644 --- a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml +++ b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Registry Manipulation id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index c8404f2cc14..190f33f2ceb 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -1,6 +1,7 @@ title: SilentProcessExit Monitor Registrytion id: c81fe886-cac0-4913-a511-2822d72ff505 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process +status: experimental author: Florian Roth references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml index 66a5dc12a21..18f83195ac6 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -1,6 +1,7 @@ title: SilentProcessExit Monitor Registrytion for LSASS id: 55e29995-75e7-451a-bef0-6225e2f13597 description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory +status: experimental author: Florian Roth references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index c7373356780..3cc60515e21 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -8,6 +8,7 @@ author: Florian Roth date: 2020/07/01 tags: - attack.privilege_escalation + - attack.t1574 - cve.2021.1675 logsource: category: registry_event diff --git a/rules/windows/registry_event/sysmon_runkey_winekey.yml b/rules/windows/registry_event/sysmon_runkey_winekey.yml index 636015fce0a..f6367545dcb 100644 --- a/rules/windows/registry_event/sysmon_runkey_winekey.yml +++ b/rules/windows/registry_event/sysmon_runkey_winekey.yml @@ -1,6 +1,7 @@ title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 description: Detects potential malicious modification of run keys by winekey or team9 backdoor +status: experimental date: 2020/10/30 author: omkar72 references: diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 2800e4ee657..964609701c9 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -1,6 +1,7 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs +status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index 77400edbc7f..d68b3dfef1e 100644 --- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -1,6 +1,7 @@ title: Suspicious Camera and Microphone Access id: 62120148-6b7a-42be-8b91-271c04e281a3 description: Detects Processes accessing the camera and microphone from suspicious folder +status: experimental author: Den Iuzvyk date: 2020/06/07 modified: 2021/09/17 diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index a7842bbee2c..6c26c7786f1 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -1,5 +1,6 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 +status: experimental description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only references: diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml index a4b72df0dbd..f149e51cc1f 100644 --- a/rules/windows/registry_event/sysmon_taskcache_entry.yml +++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml @@ -1,6 +1,7 @@ title: New TaskCache Entry id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered +status: experimental tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 883c5863abe..cd7301c71dc 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -1,6 +1,7 @@ title: Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 description: Detects persistence registry keys +status: experimental references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence_recycle_bin.yml b/rules/windows/registry_event/sysmon_win_reg_persistence_recycle_bin.yml new file mode 100644 index 00000000000..e032cb43d84 --- /dev/null +++ b/rules/windows/registry_event/sysmon_win_reg_persistence_recycle_bin.yml @@ -0,0 +1,24 @@ +title: Registry Persistence Mechanisms in Recycle Bin +id: 277efb8f-60be-4f10-b4d3-037802f37167 +description: Detects persistence registry keys for Recycle Bin +references: + - https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf +date: 2021/11/18 +author: frack113 +logsource: + category: registry_event + product: windows +detection: + Create_key: + EventType: RenameKey + NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + Set_key: + EventType: SetValue + TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + condition: Create_key or Set_key +tags: + - attack.persistence + - attack.t1547 +falsepositives: + - unknown +level: critical diff --git a/rules/windows/registry_event/win_registry_file_association_exefile.yml b/rules/windows/registry_event/win_registry_file_association_exefile.yml new file mode 100644 index 00000000000..21f066f400a --- /dev/null +++ b/rules/windows/registry_event/win_registry_file_association_exefile.yml @@ -0,0 +1,22 @@ +title: New File Association Using Exefile +id: 44a22d59-b175-4f13-8c16-cbaef5b581ff +description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +author: Andreas Hunkeler (@Karneades) +date: 2021/11/19 +status: experimental +references: + - https://twitter.com/mrd0x/status/1461041276514623491 +tags: + - attack.defense_evasion +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Classes\.' + Details: 'exefile' + EventType: SetValue + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 22fa2806bb4..6ded1f970e1 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -9,6 +9,7 @@ references: author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution + - attack.t1204 - cve.2021.1675 - cve.2021.34527 date: 2021/07/04 diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml similarity index 73% rename from rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml rename to rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml index 9b2cf67ac34..8c30a7931c3 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -1,18 +1,20 @@ -title: UAC Bypass Using Registry Shell Open Keys +title: Shell Open Registry Keys Manipulation id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) +description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 -modified: 2021/09/17 +modified: 2021/11/19 status: experimental references: - https://github.com/hfiref0x/UACME - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass + - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 + - attack.t1546.001 logsource: category: registry_event product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index c91e0d20c5e..9d97fafb44b 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2021/09/07 +modified: 2021/11/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html @@ -19,6 +19,8 @@ detection: Description|contains: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' + selection_filter: + Description: 'Failed to open service configuration with error 19' condition: selection_error falsepositives: - legitimate administrative action diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index cdfed557ce4..7d5d9cd20ad 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -3,10 +3,22 @@ order: 20 backends: - hawk logsources: + antivirus: + product: antivirus apache: product: apache conditions: - product_name: '*apache*' + product_name: + - 'apache*' + - 'httpd*' + cisco: + product: cisco + conditions: + vendor_name: 'Cisco' + django: + product: django + conditions: + vendor_name: 'Django' okta: service: okta conditions: @@ -429,3 +441,4 @@ fieldmappings: Priority: event_priority event_type_id: vendor_id eventtype: vendor_type + destination.port: ip_dport diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 904e81563bc..a44336b2b69 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -56,7 +56,6 @@ def cleanKey(self, key): def cleanValue(self, value): """Remove quotes in text""" - # return value.replace("\'","\\\'") return value def generateNode(self, node, notNode=False): @@ -95,7 +94,14 @@ def generateNode(self, node, notNode=False): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(node, False)) # .replace("\\","\\\\").replace(".","\\.") + value = self.generateValueNode(node, False).replace("*", "EEEESTAREEE") + value = re.escape(value) + value = value.replace("EEEESTAREEE", ".*") + if value[0:2] == ".*": + value = value[2:] + if value[-2:] == ".*": + value = value[:-2] + nodeRet['args']['str']['value'] = value # return json.dumps(nodeRet) return nodeRet elif type(node) == list: @@ -182,9 +188,13 @@ def generateMapItemNode(self, node, notNode=False): if key.lower() in ("logname","source"): self.logname = value elif type(value) == str and "*" in value: - # value = value.replace("*", ".*") - value = value.replace("*", "") - value = re.escape(value) # .replace("\\", "\\\\").replace(".","\\.") + value = value.replace("*", "EEEESTAREEE") + value = re.escape(value) + value = value.replace("EEEESTAREEE", ".*") + if value[0:2] == ".*": + value = value[2:] + if value[-2:] == ".*": + value = value[:-2] if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: @@ -247,10 +257,13 @@ def generateMapItemListNode(self, key, value, notNode=False): nodeRet['args']['str']['value'] = 'null' ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: - item = item.replace("*", "") - item = re.escape(item) # .replace("\\", "\\\\").replace(".","\\.") - #print("item") - #print(item) + item = item.replace("*", "EEEESTAREEE") + item = re.escape(item) + item = item.replace("EEEESTAREEE", ".*") + if item[:2] == ".*": + item = item[2:] + if item[-2:] == ".*": + item = item[:-2] nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) nodeRet['args']['str']['regex'] = "true" if notNode: @@ -259,8 +272,6 @@ def generateMapItemListNode(self, key, value, notNode=False): nodeRet['args']['comparison']['value'] = "=" ret['children'].append( nodeRet ) else: - #print("item2") - #print(item) nodeRet['args']['str']['value'] = self.generateValueNode(item, True) ret['children'].append( nodeRet ) retAnd = { "id" : "and", "key": "And", "children" : [ ret ] } @@ -273,14 +284,20 @@ def generateMapItemTypedNode(self, fieldname, value, notNode=False): nodeRet['description'] = fieldname nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: - regex = str(value) - nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(regex, True)) # .replace("\\", "\\\\").replace(".","\\.") + value = str(value) + value = value.replace("*", "EEEESTAREEE") + value = re.escape(self.generateValueNode(value, True)) + value = value.replace("EEEESTAREEE", ".*") + if value[:2] == ".*": + value = value[2:] + if value[-2:] == ".*": + value = value[:-2] + nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: nodeRet['args']['comparison']['value'] = "=" - # return json.dumps(nodeRet) return nodeRet else: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) @@ -290,7 +307,13 @@ def generateValueNode(self, node, keypresent): def generateNULLValueNode(self, node, notNode): # node.item - nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } + nodeRet = { "key" : "empty", "description" : "Value Does Not Exist (IS NULL)", "class" : "function", "inputs" : { "comparison" : { "order" : 0, "source" : "comparison", "type" : "comparison" }, "column" : { "order" : 1, "source" : "columns", "type" : "str" } }, "args" : { "comparison" : { "value" : "!=" }, "column" : { "value" : node.item } }, "return" : "boolean" } + nodeRet['args']['column']['value'] = self.cleanKey(node.item).lower() + nodeRet['description'] += " %s" % key + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" nodeRet['rule_id'] = str(uuid.uuid4()) # return json.dumps(nodeRet) return nodeRet diff --git a/tools/sigma/backends/uberagent.py b/tools/sigma/backends/uberagent.py index 682e91161df..53ef3784feb 100644 --- a/tools/sigma/backends/uberagent.py +++ b/tools/sigma/backends/uberagent.py @@ -1,6 +1,6 @@ import re import sigma -from .base import SingleTextQueryBackend +from sigma.backends.base import SingleTextQueryBackend from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT from sigma.parser.exceptions import SigmaParseError from .mixins import MultiRuleOutputMixin @@ -8,6 +8,8 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from ..parser.modifiers.base import SigmaTypeModifier +gUnsupportedCategories = {} + def convert_sigma_level_to_uberagent_risk_score(level): """Converts the given Sigma rule level to uberAgent ESA RiskScore property.""" @@ -35,12 +37,22 @@ def convert_sigma_category_to_uberagent_event_type(category): categories = { "process_creation": "Process.Start", "image_load": "Image.Load", - "dns": "Dns.Query" + "dns": "Dns.Query", + "dns_query": "Dns.Query", + "network_connection": "Net.Any", + "firewall": "Net.Any", + "create_remote_thread": "Process.CreateRemoteThread", + "registry_event": "Reg.Any" } if category in categories: return categories[category] + if category in gUnsupportedCategories: + gUnsupportedCategories[category] += 1 + else: + gUnsupportedCategories[category] = 1 + return None @@ -116,18 +128,21 @@ def __init__(self): "Net.Target.Ip", "Net.Target.Name", "Net.Target.Port", - "Net.Target.Protocol" + "Net.Target.Protocol", + "Net.Source.Ip", + "Net.Source.Port", ], "Reg.": [ "Reg.Key.Path", "Reg.Key.Path.New", - "Reg.Key.Path.Old" + "Reg.Key.Path.Old", "Reg.Key.Name", "Reg.Parent.Key.Path", "Reg.Value.Name", "Reg.File.Name", "Reg.Key.Sddl", "Reg.Key.Hive", + "Reg.Key.Target" ], "Dns.": [ "Dns.QueryRequest", @@ -179,7 +194,8 @@ def __str__(self): # The Description is optional. if len(self.description) > 0: - result += "# {}\n".format(self.description) + for description_line in self.description.splitlines(): + result += "# {}\n".format(description_line) # Make sure all required properties have at least a value that is somehow usable. if self.event_type is None: @@ -205,6 +221,9 @@ def __str__(self): result += "Query = {}\n".format(self.query) + if self.event_type == "Reg.Any": + result += "Hive = HKLM,HKU\n" + counter = 1 for event_type_prefix in self.generic_properties: if self.event_type.startswith(event_type_prefix): @@ -319,9 +338,31 @@ class uberAgentBackend(SingleTextQueryBackend): }, "dns": { "query": "Dns.QueryRequest", - # Not yet supported. - # "record_type": "Dns.QueryResponseType", "answer": "Dns.QueryResponse" + }, + "dns_query": { + "queryname": "Dns.QueryRequest", + }, + "network_connection": { + "destinationport": "Net.Target.Port", + "destinationip": "Net.Target.Ip", + "destinationhostname": "Net.Target.Name", + "destinationisipv6": "Net.Target.IpIsV6", + "sourceport": "Net.Source.Port" + }, + "firewall": { + "destination.port": "Net.Target.Port", + "dst_ip": "Net.Target.Ip", + "src_ip": "Net.Source.Ip" + }, + "create_remote_thread": { + "targetimage": "Process.Path", + "startmodule": "Thread.StartModule", + "startfunction": "Thread.StartFunctionName" + }, + "registry_event": { + "targetobject": "Reg.Key.Target", + "newname": "Reg.Key.Path.New" } } @@ -339,7 +380,14 @@ class uberAgentBackend(SingleTextQueryBackend): "parent_domain", "signed", "parentofparentimage", - "record_type" + "record_type", # Related to network (DNS). + "querystatus", # Related to network (DNS). + "initiated", # Related to network connections. Seen as string 'true' / 'false'. + "action", # Related to firewall category. + "targetprocessaddress", + "sourceimage", + "eventtype", + "details" ] rules = [] @@ -356,7 +404,8 @@ def fieldNameMapping(self, fieldname, value): if key in self.ignoreFieldList: raise IgnoreFieldException() else: - raise NotImplementedError('The fieldname %s is not implemented.' % fieldname) + raise NotImplementedError( + 'The field name %s in category %s is not implemented.' % (fieldname, self.current_category)) return self.fieldMapping[key] @@ -405,7 +454,7 @@ def generate(self, sigmaparser): def serialize_file(self, name, level): count = 0 - with open(name, "w") as file: + with open(name, "w", encoding='utf8') as file: write_file_header(file, level) for rule in self.rules: try: @@ -419,10 +468,10 @@ def serialize_file(self, name, level): return count def finalize(self): - count_critical = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-critical.conf", "critical") - count_high = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-high.conf", "high") - count_low = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-low.conf", "low") - count_medium = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-medium.conf", "medium") + count_critical = self.serialize_file("uberAgent-ESA-am-sigma-critical.conf", "critical") + count_high = self.serialize_file("uberAgent-ESA-am-sigma-high.conf", "high") + count_low = self.serialize_file("uberAgent-ESA-am-sigma-low.conf", "low") + count_medium = self.serialize_file("uberAgent-ESA-am-sigma-medium.conf", "medium") print("Generated {} activity monitoring rules..".format(len(self.rules))) print( "This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, @@ -430,6 +479,10 @@ def finalize(self): count_medium, count_low)) + print("There are %d unsupported categories." % len(gUnsupportedCategories)) + for category in gUnsupportedCategories: + print("Category %s has %d unsupported rules." % (category, gUnsupportedCategories[category])) + def generateTypedValueNode(self, node): raise IgnoreTypedModifierException()