From 1317fe9df219bfaee0a9d25797a18f9df108b816 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Sat, 4 Mar 2017 14:22:44 -0800 Subject: [PATCH 1/3] Modifications + Added Sysmon detection of Office binaries spawning Windows shells + Additional web servers added for webshell detection --- rules/windows/sysmon/sysmon_office_shell.yml | 28 +++++++++++++++++++ .../sysmon/sysmon_webshell_detection.yml | 10 +++++-- .../windows/sysmon/sysmon_webshell_spawn.yml | 2 ++ 3 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 rules/windows/sysmon/sysmon_office_shell.yml diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml new file mode 100644 index 00000000..cc799c69 --- /dev/null +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -0,0 +1,28 @@ +title: Microsoft Office Product Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. +reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +author: Michael Haag +logsource: + product: sysmon +detection: + selection: + EventID: 1 + ParentImage: + - '*\WINWORD.EXE' + - '*\EXCEL.EXE' + - '*\POWERPNT.exe' + - '*\MSPUB.exe' + - '*\VISIO.exe' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\scrcons.exe' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index c183fe50..c5ca987f 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -1,4 +1,4 @@ -title: Webshell Detection With Command Line Keywords +title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnissaince activity via web shells author: Florian Roth logsource: @@ -9,12 +9,16 @@ detection: ParentImage: - '*\apache*' - '*\tomcat*' - CommandLine: + - '*\w3wp.exe' + - '*\php-cgi.exe' + - '*\nginx.exe' + - '*\httpd.exe' + CommandLine: - 'whoami' - 'net user' - 'ping -n' + - 'systeminfo' condition: selection falsepositives: - unknown level: high - diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index fd092c48..51359a62 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -11,10 +11,12 @@ detection: - '*\w3wp.exe' - '*\httpd.exe' - '*\nginx.exe' + - '*\php-cgi.exe' Image: - '*\cmd.exe' - '*\sh.exe' - '*\bash.exe' + - '*\powershell.exe' condition: selection falsepositives: - Particular web applications may spawn a shell process legitimately From 4ac5d8647905c99d5033011b3f0fba50c6680d78 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Sat, 4 Mar 2017 14:33:09 -0800 Subject: [PATCH 2/3] mshta shells :shell: for all! --- .../sysmon/sysmon_mshta_spawn_shell.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_mshta_spawn_shell.yml diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml new file mode 100644 index 00000000..aa83953d --- /dev/null +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -0,0 +1,23 @@ +title: MSHTA Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from MSHTA. +reference: https://www.trustedsec.com/july-2015/malicious-htas/ +author: Michael Haag +logsource: + product: sysmon +detection: + selection: + EventID: 1 + ParentImage: + - '*\mshta.exe' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + condition: selection +falsepositives: + - Minimal FPs. +level: high From a3cd7123a8510397a1eb5430da31f225039eda6e Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Sat, 4 Mar 2017 14:40:34 -0800 Subject: [PATCH 3/3] wscript/cscript WSF, JSE, JS, VBA and VBE file execution --- .../sysmon/sysmon_susp_file_execution.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_susp_file_execution.yml diff --git a/rules/windows/sysmon/sysmon_susp_file_execution.yml b/rules/windows/sysmon/sysmon_susp_file_execution.yml new file mode 100644 index 00000000..3f6a606b --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_file_execution.yml @@ -0,0 +1,22 @@ +title: WSF, JSE, JS, VBA and VBE file execution +status: experimental +description: Detects suspicious file execution by wscript and cscript. +author: Michael Haag +logsource: + product: sysmon +detection: + selection: + EventID: 1 + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '*.jse' + - '*.vbe' + - '*.js' + - '*.vba' + - '*.vbe' + condition: selection +falsepositives: + - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. +level: medium