added new rule

silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump
2024-11-08 02:08:54 +00:00 · 2019-10-23 18:08:30 +03:00 · 2019-10-23 18:08:30 +03:00 · 4c84412944
commit 4c84412944
parent bc943343df
4 changed files with 104 additions and 0 deletions
--- a/rules/windows/process_creation/silenttrinity_stage_
+++ b/rules/windows/process_creation/silenttrinity_stage_
@ -0,0 +1,31 @@
+action: global
+title: SILENTTRINITY
+status: experimental
+description: Detect SILENTTRINITY stager use
+references:
+  - https://github.com/byt3bl33d3r/SILENTTRINITY
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+tags:
+  - attack.execution
+detection:
+  condition: selection
+falsepositives:
+  - unknown
+level: high
+---
+logsource:
+  category: process_creation
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    Description: '*st2stager*'
+---
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 7
+    Description: '*st2stager*'
--- a/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml
@ -0,0 +1,25 @@
+title: Mimikatz сred access dump
+description: Detects process access to LSASS which is typical for like Mimikatz tools different version
+references:
+  - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+tags:
+  - attack.credential_access
+  - attack.t1003
+status: experimental
+author: Aleksey Potapov, oscd.community
+date: 2019/10/23
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 10
+    TargetImage: 'C:\windows\system32\lsass.exe'
+    GrantedAccess:
+      - '0x1410'
+      - '0x1010'
+      - '0x143a'
+  condition: selection
+falsepositives:
+  - unknown
+level: high
--- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
@ -0,0 +1,21 @@
+title: Windows Registry Persistence - COM key linking
+status: experimental
+description: Detects COM object hijacking via TreatAs subkey
+references:
+    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+author: Kutepov Anton, oscd.community
+date: 2019/10/23
+tags:
+    - attack.persistence
+    - attack.t1122
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 12
+        TargetObject: 'HKU\*_Classes\CLSID\*\TreatAs'
+    condition: selection
+falsepositives: 
+    - Maybe some system utilities in rare cases use linking keys for backward compability
+level: medium
--- a/rules/windows/sysmon/sysmon_сreds_dump.yml
+++ b/rules/windows/sysmon/sysmon_сreds_dump.yml
@ -0,0 +1,27 @@
+title: Cred access
+description: The following GrantedAccess  only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. 
+Most characteristic of powershell offensive tools.
+references:
+  - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+tags:
+  - attack.credential_access
+  - attack.t1003
+status: experimental
+author: Aleksey Potapov, oscd.community
+date: 2019/10/23
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 10
+    TargetImage: 'C:\windows\system32\lsass.exe'
+    GrantedAccess:
+      - '0x1f0fff'
+      - '0x1f1fff'
+      - '0x1f2fff'
+      - '0x1f3fff'
+  condition: selection
+falsepositives:
+  - unknown
+level: high