2017-03-26 00:26:34 +00:00
|
|
|
title: Detects Suspicious Process Creations
|
|
|
|
description: Detects suspicious process starts on Windows systems bsed on keywords
|
|
|
|
status: experimental
|
|
|
|
reference:
|
|
|
|
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
|
|
|
|
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
|
2017-07-30 15:09:24 +00:00
|
|
|
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
|
|
|
|
- https://twitter.com/subTee/status/872244674609676288
|
|
|
|
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
|
|
|
|
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
|
|
|
|
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
|
|
|
|
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
|
|
|
|
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
|
2017-03-26 00:26:34 +00:00
|
|
|
author: Florian Roth
|
|
|
|
logsource:
|
|
|
|
product: windows
|
|
|
|
service: security
|
|
|
|
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
|
|
|
detection:
|
2017-03-26 21:25:47 +00:00
|
|
|
selection:
|
2017-03-26 00:26:34 +00:00
|
|
|
EventID: 4688
|
2017-05-13 08:40:41 +00:00
|
|
|
CommandLine:
|
2017-03-26 00:26:34 +00:00
|
|
|
# Hacking activity
|
2017-03-26 21:25:47 +00:00
|
|
|
- 'vssadmin.exe delete shadows*'
|
|
|
|
- 'vssadmin delete shadows*'
|
|
|
|
- 'vssadmin create shadow /for=C:*'
|
|
|
|
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
|
|
|
|
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
|
|
|
|
- 'reg SAVE HKLM\SYSTEM *'
|
|
|
|
- '* sekurlsa:*'
|
|
|
|
- 'net localgroup adminstrators * /add'
|
|
|
|
- 'net group "Domain Admins" * /ADD /DOMAIN'
|
2017-07-20 18:54:55 +00:00
|
|
|
- 'certutil.exe *-urlcache* http*'
|
|
|
|
- 'certutil.exe *-urlcache* ftp*'
|
2017-03-26 00:26:34 +00:00
|
|
|
# Malware
|
2017-03-26 21:25:47 +00:00
|
|
|
- 'netsh advfirewall firewall *\AppData\*'
|
2017-03-26 00:26:34 +00:00
|
|
|
- 'attrib +S +H +R *\AppData\*'
|
2017-03-26 21:25:47 +00:00
|
|
|
- 'schtasks* /create *\AppData\*'
|
2017-04-28 15:03:35 +00:00
|
|
|
- 'schtasks* /sc minute*'
|
2017-03-26 21:41:38 +00:00
|
|
|
- '*\Regasm.exe *\AppData\*'
|
|
|
|
- '*\Regasm *\AppData\*'
|
|
|
|
- '*\bitsadmin* /transfer*'
|
2017-03-27 20:30:26 +00:00
|
|
|
- '*\certutil.exe * -decode *'
|
|
|
|
- '*\certutil.exe * -decodehex *'
|
2017-07-23 20:51:57 +00:00
|
|
|
- '*\certutil.exe -ping *'
|
2017-05-12 19:55:30 +00:00
|
|
|
- 'icacls * /grant Everyone:F /T /C /Q'
|
2017-05-13 08:40:41 +00:00
|
|
|
- '* wmic shadowcopy delete *'
|
2017-03-26 00:26:34 +00:00
|
|
|
# Scripts
|
2017-03-26 21:41:38 +00:00
|
|
|
- '*\wscript.exe *.jse'
|
|
|
|
- '*\wscript.exe *.js'
|
|
|
|
- '*\wscript.exe *.vba'
|
|
|
|
- '*\wscript.exe *.vbe'
|
|
|
|
- '*\cscript.exe *.jse'
|
|
|
|
- '*\cscript.exe *.js'
|
|
|
|
- '*\cscript.exe *.vba'
|
|
|
|
- '*\cscript.exe *.vbe'
|
2017-07-30 15:09:24 +00:00
|
|
|
# UAC bypass
|
|
|
|
- '*\fodhelper.exe'
|
|
|
|
# persistence
|
|
|
|
- '*waitfor*/s*'
|
|
|
|
- '*waitfor*/si persist*'
|
|
|
|
# remote
|
|
|
|
- '*remote*/s*'
|
|
|
|
- '*remote*/c*'
|
|
|
|
- '*remote*/q*'
|
|
|
|
# AddInProcess
|
|
|
|
- '*AddInProcess*'
|
|
|
|
# NotPowershell (nps) attack
|
|
|
|
- '*msbuild*'
|
2017-03-26 00:26:34 +00:00
|
|
|
condition: selection
|
|
|
|
falsepositives:
|
|
|
|
- False positives depend on scripts and administrative tools used in the monitored environment
|
|
|
|
level: medium
|