From 923391224a19b5d250d547d58999aff4822d9cca Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 18:27:36 -0500 Subject: [PATCH 01/28] Create powershell_azurehound_commands.yml --- .../powershell_azurehound_commands.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml new file mode 100644 index 00000000..491e1d7c --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -0,0 +1,30 @@ +title: AzureHound PowerShell Commands +id: 83083ac6-1816-4e76-97d7-59af9a9ae46e +status: experimental +description: +references: + - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 + - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +author: Austin Songer (@austinsonger) +date: 2021/10/23 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection: + ScriptBlockText|contains: + - "Invoke-AzureHound" + condition: selection +tags: + - attack.discovery + - attack.t1482 + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 +falsepositives: + - Penetration testing +level: high From 76aa8bf904c1efbb1882b1da36742d365a5340b7 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:50:03 -0500 Subject: [PATCH 02/28] Create windows_suspicious_rclone_execution.yml --- .../windows_suspicious_rclone_execution.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/windows/process_creation/windows_suspicious_rclone_execution.yml diff --git a/rules/windows/process_creation/windows_suspicious_rclone_execution.yml b/rules/windows/process_creation/windows_suspicious_rclone_execution.yml new file mode 100644 index 00000000..b73cf7b7 --- /dev/null +++ b/rules/windows/process_creation/windows_suspicious_rclone_execution.yml @@ -0,0 +1,56 @@ +title: Rclone Execution via Command Line or PowerShell +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +status: experimental +date: 2021/05/10 +modified: 2021/06/29 +author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - 'pass' + - 'user' + - 'copy' + - 'sync' + - 'config' + - 'lsd' + - 'remote' + - 'ls' + - 'mega' + - 'pcloud' + - 'ftp' + - 'ignore-existing' + - 'auto-confirm' + - 'transfers' + - 'multi-thread-streams' + - 'no-check-certificate ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high From a7715490572c3deeecdcdc1706c736e298744632 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:51:50 -0500 Subject: [PATCH 03/28] Delete win_susp_rclone_exec.yml --- .../process_creation/win_susp_rclone_exec.yml | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_rclone_exec.yml diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml deleted file mode 100644 index b6e35d7a..00000000 --- a/rules/windows/process_creation/win_susp_rclone_exec.yml +++ /dev/null @@ -1,37 +0,0 @@ -title: Rclone Execution via Command Line or PowerShell -id: cb7286ba-f207-44ab-b9e6-760d82b84253 -description: Detects Rclone which is commonly used by ransomware groups for exfiltration -status: experimental -date: 2021/05/26 -author: Aaron Greetham (@beardofbinary) - NCC Group -references: - - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -tags: - - attack.exfiltration - - attack.t1567.002 -falsepositives: - - Legitimate Rclone usage (rare) -level: high -logsource: - product: windows - category: process_creation -detection: - exec_selection: - Image|endswith: '\rclone.exe' - ParentImage|endswith: - - '\PowerShell.exe' - - '\cmd.exe' - command_selection: - CommandLine|contains: - - ' pass ' - - ' user ' - - ' copy ' - - ' mega ' - - ' sync ' - - ' config ' - - ' lsd ' - - ' remote ' - - ' ls ' - description_selection: - Description: 'Rsync for cloud storage' - condition: command_selection and ( description_selection or exec_selection ) \ No newline at end of file From 2f5e235dfe2451f01d904ce21835ea2e7dea7566 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:51:59 -0500 Subject: [PATCH 04/28] Delete sysmon_rclone_execution.yml --- .../sysmon_rclone_execution.yml | 46 ------------------- 1 file changed, 46 deletions(-) delete mode 100644 rules/windows/process_creation/sysmon_rclone_execution.yml diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml deleted file mode 100644 index 3a0b7dfe..00000000 --- a/rules/windows/process_creation/sysmon_rclone_execution.yml +++ /dev/null @@ -1,46 +0,0 @@ -title: RClone Execution -id: a0d63692-a531-4912-ad39-4393325b2a9c -status: experimental -description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc -tags: - - attack.exfiltration - - attack.t1567.002 -author: Bhabesh Raj, Sittikorn S -date: 2021/05/10 -modified: 2021/06/29 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware - - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html -fields: - - CommandLine - - ParentCommandLine - - Details -falsepositives: - - Legitimate RClone use -level: high -logsource: - category: process_creation - product: windows -detection: - selection: - Description: 'Rsync for cloud storage' - selection2: - CommandLine|contains|all: - - '--config ' - - '--no-check-certificate ' - - ' copy ' - selection3: - Image|endswith: - - '\rclone.exe' - CommandLine|contains: - - 'mega' - - 'pcloud' - - 'ftp' - - '--progress' - - '--ignore-existing' - - '--auto-confirm' - - '--transfers' - - '--multi-thread-streams' - condition: 1 of them From 05fcc0d8908defbfbe352c72f01094ea076b969c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:52:37 -0500 Subject: [PATCH 05/28] Rename windows_suspicious_rclone_execution.yml to win_suspicious_rclone_execution.yml --- ...s_rclone_execution.yml => win_suspicious_rclone_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{windows_suspicious_rclone_execution.yml => win_suspicious_rclone_execution.yml} (100%) diff --git a/rules/windows/process_creation/windows_suspicious_rclone_execution.yml b/rules/windows/process_creation/win_suspicious_rclone_execution.yml similarity index 100% rename from rules/windows/process_creation/windows_suspicious_rclone_execution.yml rename to rules/windows/process_creation/win_suspicious_rclone_execution.yml From 2d781ac20b19ab29b3162783a7ffb9d6131ab088 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:55:19 -0500 Subject: [PATCH 06/28] Rename win_suspicious_rclone_execution.yml to win_susp_rclone_execution.yml --- ...picious_rclone_execution.yml => win_susp_rclone_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_suspicious_rclone_execution.yml => win_susp_rclone_execution.yml} (100%) diff --git a/rules/windows/process_creation/win_suspicious_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml similarity index 100% rename from rules/windows/process_creation/win_suspicious_rclone_execution.yml rename to rules/windows/process_creation/win_susp_rclone_execution.yml From c8383901e131603d1a50ef360064dc1138b8128a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:56:43 -0500 Subject: [PATCH 07/28] Update win_susp_rclone_execution.yml --- rules/windows/process_creation/win_susp_rclone_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index b73cf7b7..0f822a36 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -3,7 +3,7 @@ id: e37db05d-d1f9-49c8-b464-cee1a4b11638 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 -modified: 2021/06/29 +modified: 2021/10/23 author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ From 9664ec4c35f254c2f10f84e1aa5cbd98b80b9fc0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 23 Oct 2021 19:59:37 -0500 Subject: [PATCH 08/28] Update win_susp_rclone_execution.yml --- .../process_creation/win_susp_rclone_execution.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 0f822a36..eca69f3a 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -11,12 +11,6 @@ references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html -tags: - - attack.exfiltration - - attack.t1567.002 -falsepositives: - - Legitimate Rclone usage (rare) -level: high logsource: product: windows category: process_creation @@ -51,6 +45,9 @@ fields: - CommandLine - ParentCommandLine - Details +tags: + - attack.exfiltration + - attack.t1567.002 falsepositives: - Legitimate RClone use level: high From d4b396f82358af07d96bd71f4c7549ea8dc2b359 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:02:34 -0500 Subject: [PATCH 09/28] Create sysmon_rclone_execution.yml --- .../deprecated/sysmon_rclone_execution.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/windows/deprecated/sysmon_rclone_execution.yml diff --git a/rules/windows/deprecated/sysmon_rclone_execution.yml b/rules/windows/deprecated/sysmon_rclone_execution.yml new file mode 100644 index 00000000..3a0b7dfe --- /dev/null +++ b/rules/windows/deprecated/sysmon_rclone_execution.yml @@ -0,0 +1,46 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj, Sittikorn S +date: 2021/05/10 +modified: 2021/06/29 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + selection3: + Image|endswith: + - '\rclone.exe' + CommandLine|contains: + - 'mega' + - 'pcloud' + - 'ftp' + - '--progress' + - '--ignore-existing' + - '--auto-confirm' + - '--transfers' + - '--multi-thread-streams' + condition: 1 of them From c4153f471f7514a7f65c86b6bbc82456d45488a5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:02:55 -0500 Subject: [PATCH 10/28] Create win_susp_rclone_exec.yml --- .../deprecated/win_susp_rclone_exec.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/deprecated/win_susp_rclone_exec.yml diff --git a/rules/windows/deprecated/win_susp_rclone_exec.yml b/rules/windows/deprecated/win_susp_rclone_exec.yml new file mode 100644 index 00000000..38f5b1c2 --- /dev/null +++ b/rules/windows/deprecated/win_susp_rclone_exec.yml @@ -0,0 +1,37 @@ +title: Rclone Execution via Command Line or PowerShell +id: cb7286ba-f207-44ab-b9e6-760d82b84253 +description: Detects Rclone which is commonly used by ransomware groups for exfiltration +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - ' pass ' + - ' user ' + - ' copy ' + - ' mega ' + - ' sync ' + - ' config ' + - ' lsd ' + - ' remote ' + - ' ls ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) From 5ded3e681c89edb653b8173570179433093dc749 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 24 Oct 2021 11:04:34 -0500 Subject: [PATCH 11/28] Update win_susp_rclone_execution.yml --- .../process_creation/win_susp_rclone_execution.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index eca69f3a..4b20bb67 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -3,7 +3,7 @@ id: e37db05d-d1f9-49c8-b464-cee1a4b11638 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 -modified: 2021/10/23 +modified: 2021/10/24 author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ @@ -51,3 +51,9 @@ tags: falsepositives: - Legitimate RClone use level: high +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +related: + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes From db640f6080e0d875025c4b6c90d22ae3b91a5762 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 18:47:04 +0200 Subject: [PATCH 12/28] Update win_susp_rclone_execution.yml --- .../win_susp_rclone_execution.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 4b20bb67..5f185a57 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -1,5 +1,10 @@ title: Rclone Execution via Command Line or PowerShell -id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +related: + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc status: experimental date: 2021/05/10 @@ -39,7 +44,7 @@ detection: - 'multi-thread-streams' - 'no-check-certificate ' description_selection: - Description: 'Rsync for cloud storage' + Description: 'Rsync for cloud storage' condition: command_selection and ( description_selection or exec_selection ) fields: - CommandLine @@ -51,9 +56,3 @@ tags: falsepositives: - Legitimate RClone use level: high -id: e37db05d-d1f9-49c8-b464-cee1a4b11638 -related: - - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes - - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes From 75f4f439daba43d2e97a380e89441932228f1445 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:32:22 -0400 Subject: [PATCH 13/28] Create sysmon_powershell_startup_shortcuts --- .../sysmon_powershell_startup_shortcuts | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/file_event/sysmon_powershell_startup_shortcuts diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts new file mode 100644 index 00000000..2f0b954b --- /dev/null +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts @@ -0,0 +1,33 @@ +title: PowerShell writing startup shortcuts +id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d +description: Attempts to detect PowerShell writing startup shortcuts. +status: experimental +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. + # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. + # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" +notes: + - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. + https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder + + - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. + https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml +tags: + - attack.registry_run_keys_/_startup_folder + - attack.t1547.001 +date: 2021/10/24 +author: Christopher Peacock (@securepeacock), SCYTHE +level: high +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\powershell.exe' + TargetFilename|contains: '\start menu\programs\startup\' + TargetFilename|endswith: '.lnk' + condition: selection +falsepositives: + - Unknown + - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. From 03301a065204f29f81b69f1c576d750475aaabfb Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:56:01 -0400 Subject: [PATCH 14/28] Rename sysmon_powershell_startup_shortcuts to sysmon_powershell_startup_shortcuts.yml --- ..._startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file_event/{sysmon_powershell_startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} (100%) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml similarity index 100% rename from rules/windows/file_event/sysmon_powershell_startup_shortcuts rename to rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml From 90654858559ddac863ef4acb1d97c6bb80d07237 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 20:12:55 +0200 Subject: [PATCH 15/28] update detection --- .../process_creation/win_shadow_copies_deletion.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 45e71b95..2828e962 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -4,7 +4,7 @@ status: stable description: Shadow Copies deletion using operating systems utilities author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 -modified: 2021/06/02 +modified: 2021/10/24 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://blog.talosintelligence.com/2017/05/wannacry.html @@ -13,6 +13,7 @@ references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 - https://github.com/Neo23x0/Raccine#the-process - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar + - https://redcanary.com/blog/intelligence-insights-october-2021/ tags: - attack.defense_evasion - attack.impact @@ -38,6 +39,12 @@ detection: - delete - catalog - quiet # will match -quiet or /quiet + selection2: + Image|endswith: '\vssadmin.exe' + CommandLine|contains|all: + - resize + - shadowstorage + - unbounded condition: 1 of selection* fields: - CommandLine From 9ff310541aef0f2357ce9560d314095e6d8dc966 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 24 Oct 2021 20:14:44 +0200 Subject: [PATCH 16/28] add selection3 --- rules/windows/process_creation/win_shadow_copies_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 2828e962..8eaf9b84 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -39,7 +39,7 @@ detection: - delete - catalog - quiet # will match -quiet or /quiet - selection2: + selection3: Image|endswith: '\vssadmin.exe' CommandLine|contains|all: - resize From 265faf6337dbcd8ce7ffc10131c6d3d784fa8c1f Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 14:15:04 -0400 Subject: [PATCH 17/28] Update sysmon_powershell_startup_shortcuts.yml --- .../file_event/sysmon_powershell_startup_shortcuts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 2f0b954b..70c82df3 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,4 +1,4 @@ -title: PowerShell writing startup shortcuts +title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d description: Attempts to detect PowerShell writing startup shortcuts. status: experimental @@ -17,7 +17,7 @@ tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 date: 2021/10/24 -author: Christopher Peacock (@securepeacock), SCYTHE +author: Christopher Peacock '@securepeacock', SCYTHE level: high logsource: product: windows From 8b45c6687c1aeaad234b82dd7f4df9fb88037aee Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 16:07:40 -0400 Subject: [PATCH 18/28] Update sysmon_powershell_startup_shortcuts.yml --- .../sysmon_powershell_startup_shortcuts.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 70c82df3..a7ed3cfa 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,18 +1,10 @@ title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -description: Attempts to detect PowerShell writing startup shortcuts. +description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" status: experimental references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. - # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. - # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" -notes: - - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder - - - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml + - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 From e4d2b6e5d94a81ea9c77cc1dc516b2f68c230435 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:07:22 +0200 Subject: [PATCH 19/28] add file_event_mal_vhd_download --- .../file_event_mal_vhd_download.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/file_event/file_event_mal_vhd_download.yml diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml new file mode 100644 index 00000000..9634cfff --- /dev/null +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -0,0 +1,28 @@ +title: Suspicious VHD Image Download From Browser +id: 8468111a-ef07-4654-903b-b863a80bbc95 +status: experimental +description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ + - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ +author: frack113 +date: 2021/10/25 +tags: + - attack.resource_development + - attack.t1587.001 +logsource: + category: file_event + product: windows + definition: in sysmon add ".vhd " +detection: + selection: + - Image|endswith: + - chrome.exe + - firefox.exe + - microsoftedge.exe + - microsoftedgecp.exe + - msedge.exe + - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier + condition: selection +level: high \ No newline at end of file From 12707f8ec5ee41e81aa5828ece3f8b91858462ad Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:16:59 +0200 Subject: [PATCH 20/28] fix level --- rules/windows/file_event/file_event_mal_vhd_download.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 9634cfff..2ddeca79 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -25,4 +25,6 @@ detection: - msedge.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection -level: high \ No newline at end of file +falsepositives: + - Legitimate user creation +level: medium From 5294e91828f77ab40a3441ec71cba06506633e39 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 17:29:01 +0200 Subject: [PATCH 21/28] Update file_event_mal_vhd_download.yml --- rules/windows/file_event/file_event_mal_vhd_download.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 2ddeca79..ec4aa319 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ -author: frack113 +author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/10/25 tags: - attack.resource_development @@ -23,6 +23,9 @@ detection: - microsoftedge.exe - microsoftedgecp.exe - msedge.exe + - iexplorer.exe + - brave.exe + - opera.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection falsepositives: From 162d869e2bd513f371606e9ee39445db135d2f69 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:14:03 +0200 Subject: [PATCH 22/28] Add cve tags --- .../sysmon_cve_2021_26858_msexchange.yml | 3 +-- .../win_exploit_cve_2020_10189.yml | 3 +-- ..._susp_servu_exploitation_cve_2021_35211.yml | 2 +- .../win_susp_servu_process_pattern.yml | 2 +- ..._cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- .../sysmon_registry_susp_printer_driver.yml | 2 +- .../win_registry_mimikatz_printernightmare.yml | 4 ++-- tests/test_rules.py | 18 ++++-------------- 8 files changed, 13 insertions(+), 25 deletions(-) diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 84390c48..acce751b 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -7,13 +7,12 @@ author: Bhabesh Raj status: experimental level: critical references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution + - cve.2021.26858 logsource: category: file_event product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index 10aaacd2..0b591d74 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -4,8 +4,6 @@ status: experimental description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189 - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth date: 2020/03/25 @@ -18,6 +16,7 @@ tags: - attack.t1059.003 - attack.t1059 # an old one - attack.s0190 + - cve.2020.10189 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 4056fcdb..25032789 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 + - cve.2021.35211 # - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 90b50893..c1a92be5 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,12 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.credential_access + - cve.2021.35211 detection: selection: ParentImage|endswith: '\Serv-U.exe' diff --git a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 1126237c..5a9aa6a1 100644 --- a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -8,12 +8,12 @@ modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ - - https://nvd.nist.gov/vuln/detail/cve-2021-33771 - - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 # - threat_group.Sourgum logsource: product: windows diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index ad3f790d..c7373356 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,11 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - attack.privilege_escalation + - cve.2021.1675 logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index db8f4a1f..22fa2806 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution + - cve.2021.1675 + - cve.2021.34527 date: 2021/07/04 modified: 2021/07/28 logsource: diff --git a/tests/test_rules.py b/tests/test_rules.py index 6d10f80e..b31c8eab 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -75,20 +75,13 @@ class TestRules(unittest.TestCase): def test_optional_tags(self): files_with_incorrect_tags = [] - + tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + if tags_pattern.match(tag) == None: + print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + @@ -450,7 +443,7 @@ class TestRules(unittest.TestCase): "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") # Upgrade Detection Rule License 1.1 - def test_author(self): + def test_optional_author(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): author_str = self.get_rule_part(file_path=file, part_name="author") @@ -459,9 +452,6 @@ class TestRules(unittest.TestCase): if not isinstance(author_str, str): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) - else: - print(Fore.YELLOW + "Rule {} has no 'author' field".format(file)) - faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") From f8574fcd819baa6899ec5a1a63546f6743491da6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:40:50 +0200 Subject: [PATCH 23/28] Add cve tags --- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 3 +-- ..._auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml | 3 +-- rules/linux/lnx_sudo_cve_2019_14287.yml | 1 + rules/linux/lnx_sudo_cve_2019_14287_user.yml | 1 + .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 6 ++++-- ...eb_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml | 4 ++-- rules/web/web_cve_2018_2894_weblogic_exploit.yml | 3 +-- rules/web/web_cve_2020_14882_weblogic_exploit.yml | 3 +-- rules/web/web_cve_2020_3452_cisco_asa_ftd.yml | 3 +-- rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml | 2 +- .../web/web_cve_2021_21978_vmware_view_planner_exploit.yml | 3 +-- rules/web/web_cve_2021_26814_wzuh_rce.yml | 4 ++-- rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml | 3 +-- .../builtin/win_exploit_cve_2021_1675_printspooler.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_operational.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_security.yml | 4 ++-- rules/windows/driver_load/driver_load_vuln_dell_driver.yml | 2 +- .../file_delete/win_cve_2021_1675_printspooler_del.yml | 2 +- .../file_event_cve_2021_31979_cve_2021_33771_exploits.yml | 4 ++-- rules/windows/file_event/win_cve_2021_1675_printspooler.yml | 2 +- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- rules/windows/image_load/sysmon_spoolsv_dll_load.yml | 4 ++-- .../process_creation/sysmon_cve_2021_26857_msexchange.yml | 3 +-- .../windows/process_creation/win_exploit_cve_2019_1378.yml | 1 + 24 files changed, 32 insertions(+), 35 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 6c49477f..e4d19520 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -8,12 +8,11 @@ author: Bhabesh Raj date: 2021/02/01 modified: 2021/09/14 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - - https://nvd.nist.gov/vuln/detail/cve-2021-3156 tags: - attack.privilege_escalation - attack.t1068 + - cve.2021.3156 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml index 7780da68..95926299 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -11,12 +11,11 @@ author: Bhabesh Raj date: 2021/02/01 modified: 2021/09/14 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - - https://nvd.nist.gov/vuln/detail/cve-2021-3156 tags: - attack.privilege_escalation - attack.t1068 + - cve.2021.3156 logsource: product: linux service: auditd diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index 22c1cfb6..dfaa5a4e 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -16,6 +16,7 @@ tags: - attack.t1068 - attack.t1169 # an old one - attack.t1548.003 + - cve.2019.14287 detection: selection_keywords: - '* -u#*' diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/lnx_sudo_cve_2019_14287_user.yml index ab92d197..d49f5e9c 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287_user.yml @@ -19,6 +19,7 @@ tags: - attack.t1068 - attack.t1169 # an old one - attack.t1548.003 + - cve.2019.14287 detection: selection_user: USER: diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index adf32660..6ebaab90 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -13,10 +13,12 @@ references: - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1678 + tags: - attack.execution + - cve-2021-1678 + - cve-2021-1675 + - cve.2021.34527 logsource: product: zeek service: dce_rpc diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 06718546..869a932e 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -3,8 +3,6 @@ id: f0500377-bc70-425d-ac8c-e956cd906871 status: experimental description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. references: - - https://nvd.nist.gov/vuln/detail/cve-2021-20090 - - https://nvd.nist.gov/vuln/detail/cve-2021-20091 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild @@ -17,6 +15,8 @@ level: critical tags: - attack.initial_access - attack.t1190 + - cve.2021.20090 + - cve.2021.20091 logsource: category: webserver detection: diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index b2fcd3e7..0ca683c2 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -6,10 +6,8 @@ author: Florian Roth date: 2018/07/22 modified: 2021/08/09 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 - - https://nvd.nist.gov/vuln/detail/cve-2018-2894 logsource: category: webserver detection: @@ -28,3 +26,4 @@ tags: - attack.initial_access - attack.persistence - attack.t1505.003 + - cve.2018.2894 diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index cb3545ad..92608b05 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -6,11 +6,9 @@ author: Florian Roth date: 2020/11/02 modified: 2020/11/04 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882 - https://isc.sans.edu/diary/26734 - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 - - https://nvd.nist.gov/vuln/detail/cve-2020-14882 logsource: category: webserver detection: @@ -29,3 +27,4 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access + - cve.2020.14882 diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml index f7ac95eb..5663b39d 100644 --- a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -5,10 +5,8 @@ description: Detects exploitation attempts on Cisco ASA FTD systems exploiting C author: Florian Roth date: 2021/01/07 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452 - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter - - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 logsource: category: webserver detection: @@ -35,3 +33,4 @@ tags: - attack.t1100 # an old one - attack.t1190 - attack.initial_access + - cve.2020.3452 \ No newline at end of file diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml index df17a5de..410ad1e4 100644 --- a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -7,7 +7,6 @@ date: 2021/01/20 references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw - - https://nvd.nist.gov/vuln/detail/cve-2021-2109 logsource: category: webserver detection: @@ -27,3 +26,4 @@ level: critical tags: - attack.t1190 - attack.initial_access + - cve.2021.2109 \ No newline at end of file diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 9da58de5..0d0e853b 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -5,10 +5,8 @@ description: Detects the exploitation of the VMware View Planner vulnerability d author: Bhabesh Raj date: 2020/03/10 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-21978 logsource: category: webserver detection: @@ -28,3 +26,4 @@ level: high tags: - attack.initial_access - attack.t1190 + - cve.2021.21978 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml index 03012d37..0fba39bf 100644 --- a/rules/web/web_cve_2021_26814_wzuh_rce.yml +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -5,9 +5,7 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i author: Florian Roth date: 2021/05/22 references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py - - https://nvd.nist.gov/vuln/detail/cve-2021-21978 logsource: category: webserver detection: @@ -23,3 +21,5 @@ level: high tags: - attack.initial_access - attack.t1190 + - cve.2021.21978 + - cve.2021.26814 \ No newline at end of file diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml index 73316e52..1061b978 100644 --- a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml +++ b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml @@ -6,9 +6,7 @@ author: Bhabesh Raj date: 2021/01/25 references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-28188 - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - - https://nvd.nist.gov/vuln/detail/cve-2020-28188 logsource: category: webserver detection: @@ -35,3 +33,4 @@ level: critical tags: - attack.t1190 - attack.initial_access + - cve.2020.28188 \ No newline at end of file diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml index 26866f88..72ac6b83 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -8,11 +8,11 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/30 modified: 2021/07/08 tags: - attack.execution + - cve.2021.1675 logsource: product: windows service: printservice-admin diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 4fbbee51..82341850 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -6,10 +6,10 @@ status: experimental level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/07/01 tags: - attack.execution + - cve.2021.1675 logsource: product: windows service: printservice-operational diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index d36b0ea4..902544f9 100644 --- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -6,11 +6,11 @@ status: experimental level: critical references: - https://twitter.com/INIT_3/status/1410662463641731075 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 date: 2021/07/02 tags: - attack.execution + - cve.2021.1675 + - cve.2021.34527 logsource: product: windows service: security diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index ea92afb4..1e361bd9 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -5,12 +5,12 @@ author: Florian Roth date: 2021/05/05 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ - - https://nvd.nist.gov/vuln/detail/cve-2021-21551 logsource: category: driver_load product: windows tags: - attack.privilege_escalation + - cve.2021.21551 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml index 397a66b1..bd5fb4ab 100644 --- a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -5,7 +5,6 @@ description: Detect DLL deletions from Spooler Service driver folder references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Bhabesh Raj date: 2021/07/01 modified: 2021/08/24 @@ -14,6 +13,7 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574 + - cve.2021.1675 logsource: category: file_delete product: windows diff --git a/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index c1f90858..1c07a1d3 100644 --- a/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -8,12 +8,12 @@ modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ - - https://nvd.nist.gov/vuln/detail/cve-2021-33771 - - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 # - threat_group.Sourgum logsource: product: windows diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 9f426abd..25264ba5 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -8,12 +8,12 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 date: 2021/06/29 modified: 2021/07/01 tags: - attack.execution - attack.privilege_escalation + - cve.2021.1675 logsource: category: file_event product: windows diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index ea5cc888..e4acb494 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -9,13 +9,13 @@ references: - https://github.com/FireFart/hivenightmare/ - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 - - https://nvd.nist.gov/vuln/detail/cve-2021-36934 logsource: product: windows category: file_event tags: - attack.credential_access - attack.t1552.001 + - cve.2021.36934 detection: selection: - TargetFilename|contains: diff --git a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml index 38e94f80..44ff79a9 100644 --- a/rules/windows/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/windows/image_load/sysmon_spoolsv_dll_load.yml @@ -4,8 +4,6 @@ status: experimental description: Detect DLL Load from Spooler Service backup folder references: - https://github.com/hhlxf/PrintNightmare - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 modified: 2021/08/24 @@ -14,6 +12,8 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574 + - cve.2021.1675 + - cve.2021.34527 logsource: category: image_load product: windows diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml index b0102bf5..fe5b0da8 100644 --- a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -6,13 +6,12 @@ author: Bhabesh Raj status: experimental level: critical references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - - https://nvd.nist.gov/vuln/detail/cve-2021-26857 date: 2021/03/03 tags: - attack.t1203 - attack.execution + - cve.2021.26857 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index a4593acf..43b24985 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -14,6 +14,7 @@ tags: - attack.t1059.003 - attack.t1059 # an old one - attack.t1574 + - cve.2019.1378 logsource: category: process_creation product: windows From 193357cf174fe95be8a6b59ed327568c5a78e5c5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 18:51:40 +0200 Subject: [PATCH 24/28] Add cve tags --- .../zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 6ebaab90..da006cf6 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -16,8 +16,8 @@ references: tags: - attack.execution - - cve-2021-1678 - - cve-2021-1675 + - cve.2021.1678 + - cve.2021.1675 - cve.2021.34527 logsource: product: zeek From 8eee468cc3c2716236cd61a71555ccc4c767a20a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 20:49:30 +0200 Subject: [PATCH 25/28] Add detect_by_option --- .../windows/process_creation/win_susp_rclone_execution.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rclone_execution.yml b/rules/windows/process_creation/win_susp_rclone_execution.yml index 5f185a57..9dfaab71 100644 --- a/rules/windows/process_creation/win_susp_rclone_execution.yml +++ b/rules/windows/process_creation/win_susp_rclone_execution.yml @@ -20,6 +20,11 @@ logsource: product: windows category: process_creation detection: + detect_by_option: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' exec_selection: Image|endswith: '\rclone.exe' ParentImage|endswith: @@ -45,7 +50,7 @@ detection: - 'no-check-certificate ' description_selection: Description: 'Rsync for cloud storage' - condition: command_selection and ( description_selection or exec_selection ) + condition: detect_by_option or command_selection and ( description_selection or exec_selection ) fields: - CommandLine - ParentCommandLine From ad0bcebe9cec2f726b808d1199f8a7e64345183f Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Mon, 25 Oct 2021 21:30:33 +0200 Subject: [PATCH 26/28] Adding some additional details about sysmon config and also way to test detection. --- rules/windows/pipe_created/pipe_created_tool_psexec.yml | 3 ++- rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml | 3 +-- .../pipe_created/sysmon_cred_dump_tools_named_pipes.yml | 1 + rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 2 +- rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml | 2 +- 10 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index b662d0ef..900ec9f5 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -27,10 +27,11 @@ fields: logsource: category: pipe_created product: windows + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: sysmon_pipecreated: PipeName: '\PSEXESVC' condition: sysmon_pipecreated falsepositives: - unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index 313d3435..66e600c1 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -11,7 +11,7 @@ author: Markus Neis logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName: @@ -25,4 +25,3 @@ detection: falsepositives: - Unknown level: critical - diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index ad56fd69..e4c7897d 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|contains: diff --git a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml index 9d444f88..850a6f68 100644 --- a/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml @@ -10,7 +10,7 @@ author: Florian Roth logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|contains: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 80ada94e..67e1f7a9 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index affe16b4..ad52ba0b 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index f8fbc077..835c6fde 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -9,7 +9,7 @@ author: Florian Roth, blueteam0ps logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName: diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index 258a0a1d..fa35acce 100644 --- a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: PipeName|startswith: diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index 79ea5a81..5c8dfda6 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection_malleable_profiles: - PipeName|startswith: diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index dfb28c36..87933c08 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -9,7 +9,7 @@ author: Florian Roth logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: Image|endswith: '\scrcons.exe' From ba4bb061c7a280881ca614c7b9fc0fc096c2eae1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 26 Oct 2021 12:22:18 +0200 Subject: [PATCH 27/28] Fix test_duplicate_detections for logsource --- tests/test_rules.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index b31c8eab..9a598402 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -184,31 +184,33 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_detections, [], Fore.RED + "There are rules using '1/all of them' style conditions but only have one condition") - def test_duplicate_titles(self): + def test_duplicate_detections(self): def compare_detections(detection1:dict, detection2:dict) -> bool: - # detections not the same length can't be the same + # detections not the same count can't be the same if len(detection1) != len(detection2): - return False - + return False + for named_condition in detection1: #don't check timeframes if named_condition == "timeframe": continue - + # condition clause must be the same too if named_condition == "condition": if detection1["condition"] != detection2["condition"]: return False else: continue - + # Named condition must exist in both rule files if named_condition not in detection2: return False - + + #can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False + for condition in detection1[named_condition]: if type(condition) != str: @@ -216,10 +218,9 @@ class TestRules(unittest.TestCase): if condition not in detection2[named_condition]: return False - + condition_value1 = detection1[named_condition][condition] condition_value2 = detection2[named_condition][condition] - if condition_value1 != condition_value2: return False @@ -229,9 +230,11 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): + print(file) detection = self.get_rule_part(file_path = file, part_name = "detection") logsource = self.get_rule_part(file_path = file, part_name = "logsource") - detection.update(logsource) + detection["logsource"] = {} + detection["logsource"].update(logsource) yaml = self.get_rule_yaml(file_path = file) is_multipart_yaml_file = len(yaml) != 1 From c0a3f7afdd1d94876696cafc3832dc3be4f2fd4e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 26 Oct 2021 12:25:26 +0200 Subject: [PATCH 28/28] Remove my print debug --- tests/test_rules.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 9a598402..58c57fe0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -230,7 +230,6 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): - print(file) detection = self.get_rule_part(file_path = file, part_name = "detection") logsource = self.get_rule_part(file_path = file, part_name = "logsource") detection["logsource"] = {}