diff --git a/Makefile b/Makefile index f1f04174..e25a3cc4 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,10 @@ test-rules: tests/test_rules.py test-sigmac: + coverage run -a --include=$(COVSCOPE) tools/sigmac + coverage run -a --include=$(COVSCOPE) tools/sigmac -h coverage run -a --include=$(COVSCOPE) tools/sigmac -l + ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null @@ -40,6 +43,7 @@ test-sigmac: ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null @@ -49,10 +53,13 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null diff --git a/rules/apt/apt_babyshark.yml b/rules/apt/apt_babyshark.yml index e5d8e330..063ecadc 100644 --- a/rules/apt/apt_babyshark.yml +++ b/rules/apt/apt_babyshark.yml @@ -1,39 +1,20 @@ ---- -action: global -title: Baby Shark Activity +title: Baby Shark Activity status: experimental -description: 'Detects activity that could be related to Baby Shark malware' +description: Detects activity that could be related to Baby Shark malware references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ logsource: + category: process_creation product: windows author: Florian Roth -date: 2019/02/24 +date: 2019/02/24 detection: + selection: + CommandLine: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - powershell.exe mshta.exe http* + - cmd.exe /c taskkill /im cmd.exe condition: selection falsepositives: - unknown level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' - - 'powershell.exe mshta.exe http*' - - 'cmd.exe /c taskkill /im cmd.exe' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' - - 'powershell.exe mshta.exe http*' - - 'cmd.exe /c taskkill /im cmd.exe' diff --git a/rules/apt/apt_bear_activity_gtr19.yml b/rules/apt/apt_bear_activity_gtr19.yml index 09d759e9..60567ff1 100644 --- a/rules/apt/apt_bear_activity_gtr19.yml +++ b/rules/apt/apt_bear_activity_gtr19.yml @@ -1,44 +1,23 @@ ---- -action: global -title: Judgement Panda Exfil Activity -description: 'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike' +title: Judgement Panda Exfil Activity +description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -logsource: - product: windows author: Florian Roth -date: 2019/02/21 -tags: +date: 2019/02/21 +tags: - attack.credential_access - attack.t1098 +logsource: + category: process_creation + product: windows detection: + selection1: + Image: '*\xcopy.exe' + CommandLine: '* /S /E /C /Q /H \\*' + selection2: + Image: '*\adexplorer.exe' + CommandLine: '* -snapshot "" c:\users\\*' condition: selection1 or selection2 falsepositives: - unknown level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' - selection2: - EventID: 1 - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*\xcopy.exe /S /E /C /Q /H \\*' - selection2: - EventID: 4688 - NewProcessName: '*\adexplorer.exe' - ProcessCommandLine: '* -snapshot "" c:\users\\*' \ No newline at end of file diff --git a/rules/apt/apt_judgement_panda_gtr19.yml b/rules/apt/apt_judgement_panda_gtr19.yml index dcf80f8d..37aa0fd0 100644 --- a/rules/apt/apt_judgement_panda_gtr19.yml +++ b/rules/apt/apt_judgement_panda_gtr19.yml @@ -1,61 +1,33 @@ ---- -action: global -title: Judgement Panda Exfil Activity -description: 'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike' +title: Judgement Panda Exfil Activity +description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -logsource: - product: windows author: Florian Roth -date: 2019/02/21 -tags: +date: 2019/02/21 +tags: - attack.lateral_movement - attack.g0010 - attack.credential_access - attack.t1098 - attack.exfiltration - attack.t1002 +logsource: + category: process_creation + product: windows detection: + selection1: + CommandLine: + - '*\ldifde.exe -f -n *' + - '*\7za.exe a 1.7z *' + - '* eprod.ldf' + - '*\aaaa\procdump64.exe*' + - '*\aaaa\netsess.exe*' + - '*\aaaa\7za.exe*' + - '*copy .\1.7z \\*' + - '*copy \\client\c$\aaaa\*' + selection2: + Image: C:\Users\Public\7za.exe condition: selection1 or selection2 falsepositives: - unknown level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - EventID: 1 - Image: 'C:\Users\Public\7za.exe' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - EventID: 4688 - NewProcessName: 'C:\Users\Public\7za.exe' \ No newline at end of file diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml deleted file mode 100644 index 1d03d783..00000000 --- a/rules/windows/builtin/win_hack_rubeus.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -action: global -title: Rubeus Hack Tool -description: Detects command line parameters used by Rubeus hack tool -author: Florian Roth -references: - - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ -date: 2018/12/19 -tags: - - attack.credential_access - - attack.t1003 - - attack.s0005 -detection: - condition: selection -falsepositives: - - unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' \ No newline at end of file diff --git a/rules/windows/builtin/win_netsh_port_fwd.yml b/rules/windows/builtin/win_netsh_port_fwd.yml deleted file mode 100644 index ac05d5de..00000000 --- a/rules/windows/builtin/win_netsh_port_fwd.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -action: global -title: Netsh Port Forwarding -description: Detects netsh commands that configure a port forwarding -references: - - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -date: 2019/01/29 -tags: - - attack.lateral_movement -status: experimental -author: Florian Roth -detection: - condition: selection -falsepositives: - - Legitimate administration -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'netsh interface portproxy add v4tov4 *' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'netsh interface portproxy add v4tov4 *' diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml deleted file mode 100644 index 847eb766..00000000 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,146 +0,0 @@ -title: Executable used by PlugX in Uncommon Location -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -tags: - - attack.s0013 -logsource: - product: windows - service: security -detection: - - # CamMute - selection_cammute: - EventID: 4688 - CommandLine: '*\CamMute.exe' - filter_cammute: - EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 4688 - CommandLine: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 4688 - CommandLine: '*\Google\Chrome\application\\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 4688 - CommandLine: '*\dvcemumanager.exe' - filter_devemu: - EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 4688 - CommandLine: '*\Gadget.exe' - filter_gadget: - EventID: 4688 - CommandLine: '*\Windows Media Player\\*' - - # HTML Help Workshop - selection_hcc: - EventID: 4688 - CommandLine: '*\hcc.exe' - filter_hcc: - EventID: 4688 - CommandLine: '*\HTML Help Workshop\\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 4688 - CommandLine: '*\hkcmd.exe' - filter_hkcmd: - EventID: 4688 - CommandLine: - - '*\System32\\*' - - '*\SysNative\\*' - - '*\SysWowo64\\*' - - # McAfee component - selection_mc: - EventID: 4688 - CommandLine: '*\Mc.exe' - filter_mc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 4688 - CommandLine: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 4688 - CommandLine: - - '*\Microsoft Security Client\\*' - - '*\Windows Defender\\*' - - '*\AntiMalware\\*' - - # Microsoft Security Center - selection_msseces: - EventID: 4688 - CommandLine: '*\msseces.exe' - filter_msseces: - EventID: 4688 - CommandLine: '*\Microsoft Security Center\\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 4688 - CommandLine: '*\OInfoP11.exe' - filter_oinfo: - EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\\*' - - # OLE View - selection_oleview: - EventID: 4688 - CommandLine: '*\OleView.exe' - filter_oleview: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - # RC - selection_rc: - EventID: 4688 - CommandLine: '*\rc.exe' - filter_rc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - '*\Microsoft.NET\\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml deleted file mode 100644 index 7ccb1bff..00000000 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ /dev/null @@ -1,44 +0,0 @@ -action: global -title: PowerShell Base64 Encoded Shellcode -description: Detects Base64 encoded Shellcode -status: experimental -references: - - https://twitter.com/cyb3rops/status/1063072865992523776 -author: Florian Roth -date: 2018/11/17 -tags: - - attack.defense_evasion - - attack.t1036 -detection: - condition: selection1 and selection2 -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*AAAAYInlM*' - selection2: - ProcessCommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*AAAAYInlM*' - selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' - diff --git a/rules/windows/builtin/win_spn_enum.yml b/rules/windows/builtin/win_spn_enum.yml deleted file mode 100644 index e6397c7c..00000000 --- a/rules/windows/builtin/win_spn_enum.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: Possible SPN Enumeration -description: Detects Service Principal Name Enumeration used for Kerberoasting -status: experimental -references: - - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation -author: Markus Neis, keepwatch -date: 2018/11/14 -tags: - - attack.credential_access - - attack.t1208 -detection: - selection_image: - Image: '*\setspn.exe' - selection_desc: - Description: '*Query or reset the computer* SPN attribute*' - cmd: - CommandLine: '*-q*' - condition: selection and (selection_image or selection_desc) and cmd -falsepositives: - - Administrator Activity -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_bcdedit.yml b/rules/windows/builtin/win_susp_bcdedit.yml deleted file mode 100644 index fd2702bb..00000000 --- a/rules/windows/builtin/win_susp_bcdedit.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: Possible Ransomware or unauthorized MBR modifications -status: experimental -description: Detects, possibly, malicious unauthorized usage of bcdedit.exe -references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -author: "@neu5ron" -date: 2019/02/07 -detection: - condition: selection -level: medium ---- -# Windows Security Eventlog: Process Creation with Full Command Line -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\fsutil.exe' - ProcessCommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' ---- -# Sysmon: Process Creation (ID 1) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\fsutil.exe' - ProcessCommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' diff --git a/rules/windows/builtin/win_susp_calc.yml b/rules/windows/builtin/win_susp_calc.yml deleted file mode 100644 index 2d505579..00000000 --- a/rules/windows/builtin/win_susp_calc.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -action: global -title: Suspicious Calculator Usage -description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion -status: experimental -references: - - https://twitter.com/ItsReallyNick/status/1094080242686312448 -author: Florian Roth -date: 2019/02/09 -detection: - condition: selection1 or ( selection2 and not filter2 ) -falsepositives: - - Unknown -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*\calc.exe *' - selection2: - EventID: 1 - Image: '*\calc.exe' - filter2: - Image: '*\Windows\Sys*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*\calc.exe *' - selection2: - EventID: 1 - Image: '*\calc.exe' - filter2: - Image: '*\Windows\Sys*' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_certutil_encode.yml b/rules/windows/builtin/win_susp_certutil_encode.yml deleted file mode 100644 index f0cac5a4..00000000 --- a/rules/windows/builtin/win_susp_certutil_encode.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -action: global -title: Certutil Encode -status: experimental -description: 'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration' -references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -logsource: - product: windows -author: Florian Roth -date: 2019/02/24 -detection: - condition: selection -falsepositives: - - unknown -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'certutil -f -encode *' - - 'certutil.exe -f -encode *' - - 'certutil -encode -f *' - - 'certutil.exe -encode -f *' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'certutil -f -encode *' - - 'certutil.exe -f -encode *' - - 'certutil -encode -f *' - - 'certutil.exe -encode -f *' - diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml deleted file mode 100644 index 47b6ad7c..00000000 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ /dev/null @@ -1,57 +0,0 @@ -action: global -title: Suspicious Commandline Escape -description: Detects suspicious process that use escape characters -status: experimental -references: - - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 - - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ -author: juju4 -modified: 2018/12/11 -tags: - - attack.defense_evasion - - attack.t1140 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml deleted file mode 100644 index 3710465f..00000000 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -action: global -title: Reconnaissance Activity with Net Command -status: experimental -description: 'Detects a set of commands often used in recon stages by different attack groups' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 - - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis -date: 2018/08/22 -modified: 2018/12/11 -tags: - - attack.discovery - - attack.t1073 - - attack.t1012 -detection: - timeframe: 15s - condition: selection | count() by CommandLine > 4 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' diff --git a/rules/windows/builtin/win_susp_gup.yml b/rules/windows/builtin/win_susp_gup.yml deleted file mode 100644 index e934b371..00000000 --- a/rules/windows/builtin/win_susp_gup.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -action: global -title: Suspicious GUP Usage -description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -status: experimental -references: - - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html -author: Florian Roth -date: 2019/02/06 -detection: - condition: selection and not filter -falsepositives: - - 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater' -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\GUP.exe' - filter: - Image: '*\updater\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\GUP.exe' - filter: - NewProcessName: '*\updater\*' diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml deleted file mode 100644 index 6909f423..00000000 --- a/rules/windows/builtin/win_susp_procdump.yml +++ /dev/null @@ -1,49 +0,0 @@ -action: global -title: Suspicious Use of Procdump -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2018/10/30 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.credential_access - - attack.t1003 -detection: - condition: selection and selection1 and selection2 -falsepositives: - - Unlikely, because no one should dump an lsass process memory - - Another tool that uses the command line switches of Procdump -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - selection1: - ProcessCommandLine: - - "* -ma *" - selection2: - ProcessCommandLine: - - '* lsass.exe*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - selection1: - CommandLine: - - "* -ma *" - selection2: - CommandLine: - - '* lsass.exe*' - diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml deleted file mode 100644 index 67b7964f..00000000 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -action: global -title: Suspicious Process Creation -description: Detects suspicious process starts on Windows systems based on keywords -status: experimental -references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - - https://twitter.com/subTee/status/872244674609676288 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples - - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html - - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - - https://twitter.com/vector_sec/status/896049052642533376 - - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf -author: Florian Roth -modified: 2018/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - 'reg SAVE HKLM\SAM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\\*' - - 'attrib +S +H +R *\AppData\\*' - - 'schtasks* /create *\AppData\\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\\*' - - '*\Regasm *\AppData\\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - 'reg SAVE HKLM\SAM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\\*' - - 'attrib +S +H +R *\AppData\\*' - - 'schtasks* /create *\AppData\\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\\*' - - '*\Regasm *\AppData\\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives - # Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger) - - '* /stext *' - - '* /scomma *' - - '* /stab *' - - '* /stabular *' - - '* /shtml *' - - '* /sverhtml *' - - '* /sxml *' diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml deleted file mode 100644 index ef8200a8..00000000 --- a/rules/windows/builtin/win_susp_ps_appdata.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: PowerShell Script Run in AppData -status: experimental -description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -references: - - https://twitter.com/JohnLaTwC/status/1082851155481288706 - - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 -author: Florian Roth -date: 2019/01/09 -logsource: - product: windows - service: sysmon -detection: - condition: selection -falsepositives: - - Administrative scripts -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* /c powershell*\AppData\Local\\*' - - '* /c powershell*\AppData\Roaming\\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* /c powershell*\AppData\Local\\*' - - '* /c powershell*\AppData\Roaming\\*' diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml deleted file mode 100644 index 76676cfb..00000000 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ /dev/null @@ -1,32 +0,0 @@ -action: global -title: Suspicious RASdial Activity -description: Detects suspicious process related to rasdial.exe -status: experimental -references: - - https://twitter.com/subTee/status/891298217907830785 -author: juju4 -detection: - selection: - CommandLine: - - 'rasdial' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_svchost.yml b/rules/windows/builtin/win_susp_svchost.yml deleted file mode 100644 index 9405f77d..00000000 --- a/rules/windows/builtin/win_susp_svchost.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -action: global -title: Suspicious Svchost Processes -description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder -author: Florian Roth, @c_APT_ure -date: 2018/10/26 -status: experimental -references: - - https://twitter.com/Moti_B/status/1002280132143394816 - - https://twitter.com/Moti_B/status/1002280287840153601 -falsepositives: - - Renamed %SystemRoot%s -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\svchost.exe' - filter1: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - filter2: - CommandLine: '* -k *' - filter3: - Image: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not ( filter1 or filter2 or filter3 ) ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\svchost.exe' - # Deactivated as long as some backends do not fully support the 'null' expression - # filter2: - # ProcessCommandLine: - # - null # Missing KB3004375 and Group Policy setting - # - '* -k *' - filter3: - NewProcessName: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not filter3 - - diff --git a/rules/windows/builtin/win_susp_whoami.yml b/rules/windows/builtin/win_susp_whoami.yml deleted file mode 100644 index 3d8ab3d4..00000000 --- a/rules/windows/builtin/win_susp_whoami.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: Whoami Execution -status: experimental -description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 -author: Florian Roth -date: 2018/05/22 -tags: - - attack.discovery - - attack.t1033 -detection: - condition: selection -falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: 'whoami' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\whoami.exe' diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml deleted file mode 100644 index ecedd03f..00000000 --- a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: WMI Persistence - Script Event Consumer -status: experimental -description: Detects WMI script event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Thomas Patzke -date: 2018/03/07 -tags: - - attack.execution - - attack.persistence - - attack.t1047 -detection: - selection: - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - ParentImage: 'C:\Windows\System32\svchost.exe' - condition: selection -falsepositives: - - Legitimate event consumers -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml deleted file mode 100644 index 89a95be3..00000000 --- a/rules/windows/malware/win_mal_wannacry.yml +++ /dev/null @@ -1,67 +0,0 @@ -action: global -title: WannaCry Ransomware -description: Detects WannaCry Ransomware Activity -status: experimental -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -author: Florian Roth -detection: - selection1: - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - condition: 1 of them -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - NewProcessName: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/process_creation/powershell_xor_commandline.yml similarity index 52% rename from rules/windows/powershell/powershell_xor_commandline.yml rename to rules/windows/process_creation/powershell_xor_commandline.yml index 57e4c60e..9939121d 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/process_creation/powershell_xor_commandline.yml @@ -1,4 +1,3 @@ -action: global title: Suspicious XOR Encoded PowerShell Command Line description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. status: experimental @@ -9,21 +8,9 @@ detection: CommandLine: - '* -bxor*' condition: selection -falsepositives: +falsepositives: - unknown level: medium ---- logsource: + category: process_creation product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml similarity index 84% rename from rules/windows/sysmon/sysmon_attrib_hiding_files.yml rename to rules/windows/process_creation/win_attrib_hiding_files.yml index 1a9c8274..edd45bf9 100644 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -3,19 +3,18 @@ status: experimental description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\attrib.exe' CommandLine: '* +h *' ini: CommandLine: '*\desktop.ini *' intel: ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \\*.cui' - ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' + CommandLine: +R +H +S +A \\*.cui + ParentCommandLine: C:\WINDOWS\system32\\*.bat condition: selection and not (ini or intel) fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml similarity index 64% rename from rules/windows/sysmon/sysmon_bypass_squiblytwo.yml rename to rules/windows/process_creation/win_bypass_squiblytwo.yml index bb312f20..9b47e50b 100644 --- a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -12,25 +12,23 @@ falsepositives: - Unknown level: medium logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: selection1: - EventID: 1 Image: - '*\wmic.exe' CommandLine: - - 'wmic * *format:\"http*' - - "wmic * /format:'http" - - 'wmic * /format:http*' + - wmic * *format:\"http* + - wmic * /format:'http + - wmic * /format:http* selection2: - EventID: 1 Imphash: - - '1B1A3F43BF37B5BFE60751F2EE2F326E' - - '37777A96245A3C74EB217308F3546F4C' - - '9D87C9D67CE724033C0B40CC4CA1B206' + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 CommandLine: - '* *format:\"http*' - - "* /format:'http" + - '* /format:''http' - '* /format:http*' condition: 1 of them diff --git a/rules/windows/sysmon/sysmon_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml similarity index 91% rename from rules/windows/sysmon/sysmon_cmdkey_recon.yml rename to rules/windows/process_creation/win_cmdkey_recon.yml index 6f1e4c66..3717c6c3 100644 --- a/rules/windows/sysmon/sysmon_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -1,16 +1,15 @@ title: Cmdkey Cached Credentials Recon status: experimental description: Detects usage of cmdkey to look for cached credentials -references: +references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx author: jmallette logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\cmdkey.exe' CommandLine: '* /list *' condition: selection diff --git a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml similarity index 76% rename from rules/windows/sysmon/sysmon_cmstp_com_object_access.yml rename to rules/windows/process_creation/win_cmstp_com_object_access.yml index f535868a..d5c2a386 100644 --- a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -13,17 +13,15 @@ references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 logsource: + category: process_creation product: windows - service: sysmon detection: - # CMSTP Spawning Child Process selection1: - EventID: 1 ParentCommandLine: '*\DllHost.exe' selection2: ParentCommandLine: - - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA - - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225 + - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' condition: selection1 and selection2 fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml similarity index 60% rename from rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml rename to rules/windows/process_creation/win_exploit_cve_2015_1641.yml index d4abdd93..8b335074 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -2,16 +2,15 @@ title: Exploit for CVE-2015-1641 status: experimental description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 references: - - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 + - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ + - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 author: Florian Roth date: 2018/02/22 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\WINWORD.EXE' Image: '*\MicroScMgmt.exe ' condition: selection diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml similarity index 70% rename from rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml rename to rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 258254cc..6e972de7 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -1,16 +1,15 @@ title: Exploit for CVE-2017-0261 status: experimental -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: - - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth date: 2018/02/22 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\WINWORD.EXE' Image: '*\FLTLDR.exe*' condition: selection diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml similarity index 95% rename from rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml rename to rules/windows/process_creation/win_exploit_cve_2017_11882.yml index ad2eff25..c2d01b6a 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -7,11 +7,10 @@ references: author: Florian Roth date: 2017/11/23 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\EQNEDT32.EXE' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml similarity index 52% rename from rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml rename to rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 7267b3d3..79035c3c 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,16 +1,15 @@ -title: Exploit for CVE-2017-8759 +title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth date: 15.09.2017 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\WINWORD.EXE' Image: '*\csc.exe' condition: selection diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml new file mode 100644 index 00000000..7043d332 --- /dev/null +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -0,0 +1,29 @@ +title: Rubeus Hack Tool +description: Detects command line parameters used by Rubeus hack tool +author: Florian Roth +references: + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ +date: 2018/12/19 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' + condition: selection +falsepositives: + - unlikely +level: critical diff --git a/rules/windows/sysmon/sysmon_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml similarity index 80% rename from rules/windows/sysmon/sysmon_lethalhta.yml rename to rules/windows/process_creation/win_lethalhta.yml index 5669721a..06f9c158 100644 --- a/rules/windows/sysmon/sysmon_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -1,4 +1,4 @@ -title: MSHTA spwaned by SVCHOST as seen in LethalHTA +title: MSHTA spwaned by SVCHOST as seen in LethalHTA status: experimental description: Detects MSHTA.EXE spwaned by SVCHOST described in report references: @@ -6,11 +6,10 @@ references: author: Markus Neis date: 2018/06/07 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\svchost.exe' Image: '*\mshta.exe' condition: selection diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml similarity index 60% rename from rules/windows/malware/win_mal_adwind.yml rename to rules/windows/process_creation/win_mal_adwind.yml index 20a5ea74..d2da6756 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -1,4 +1,3 @@ ---- action: global title: Adwind RAT / JRAT status: experimental @@ -13,44 +12,30 @@ detection: condition: selection level: high --- -# Windows Security Eventlog: Process Creation with Full Command Line logsource: + category: process_creation product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 - ProcessCommandLine: + ProcessCommandLine: - '*\AppData\Roaming\Oracle*\java*.exe *' - '*cscript.exe *Retrive*.vbs *' --- -# Sysmon: Process Creation (ID 1) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\AppData\Roaming\Oracle\bin\java*.exe' ---- -# Sysmon: File Creation (ID 11) logsource: product: windows service: sysmon detection: selection: EventID: 11 - TargetFilename: + TargetFilename: - '*\AppData\Roaming\Oracle\bin\java*.exe' - '*\Retrive*.vbs' --- -# Sysmon: Registry Value Set (ID 13) logsource: product: windows service: sysmon detection: selection: EventID: 13 - TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' + TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/process_creation/win_mal_wannacry.yml b/rules/windows/process_creation/win_mal_wannacry.yml new file mode 100644 index 00000000..d3b43b5d --- /dev/null +++ b/rules/windows/process_creation/win_mal_wannacry.yml @@ -0,0 +1,33 @@ +title: WannaCry Ransomware +description: Detects WannaCry Ransomware Activity +status: experimental +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + selection2: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\WanaDecryptor*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml similarity index 51% rename from rules/windows/malware/sysmon_malware_dridex.yml rename to rules/windows/process_creation/win_malware_dridex.yml index f7388e99..62a746e7 100644 --- a/rules/windows/malware/sysmon_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -1,5 +1,3 @@ ---- -action: global title: Dridex Process Pattern status: experimental description: Detects typical Dridex process patterns @@ -8,33 +6,17 @@ references: author: Florian Roth date: 2019/01/10 logsource: + category: process_creation product: windows - service: sysmon detection: + selection1: + CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' + selection2: + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' condition: 1 of them falsepositives: - Unlikely level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' - selection2: - EventID: 1 - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml similarity index 78% rename from rules/windows/malware/sysmon_malware_notpetya.yml rename to rules/windows/process_creation/win_malware_notpetya.yml index aa7a816e..151cc43d 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,6 +1,7 @@ title: NotPetya Ransomware Activity status: experimental -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive + C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - https://securelist.com/schroedingers-petya/78870/ @@ -13,24 +14,20 @@ tags: - attack.t1070 - attack.t1003 logsource: + category: process_creation product: windows - service: sysmon detection: fsutil_clean_journal: - EventID: 1 Image: '*\fsutil.exe' - CommandLine: '* deletejournal *' + CommandLine: '* deletejournal *' pipe_com: - EventID: 1 CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' event_clean: - EventID: 1 Image: '*\wevtutil.exe' CommandLine: '* cl *' rundll32_dash1: - EventID: 1 Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' + CommandLine: '*.dat,#1' perfc_keyword: - '*\perfc.dat*' condition: 1 of them @@ -40,4 +37,3 @@ fields: falsepositives: - Admin activity level: critical - diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml similarity index 92% rename from rules/windows/sysmon/sysmon_malware_script_dropper.yml rename to rules/windows/process_creation/win_malware_script_dropper.yml index b08eabd7..cdede5a6 100644 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -3,11 +3,10 @@ status: experimental description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule) logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\wscript.exe' - '*\cscript.exe' @@ -24,7 +23,7 @@ detection: - '* C:\ProgramData\\*.vbs *' falsepositive: ParentImage: '*\winzip*' - condition: selection + condition: selection and not falsepositive fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml similarity index 85% rename from rules/windows/malware/sysmon_malware_wannacry.yml rename to rules/windows/process_creation/win_malware_wannacry.yml index ee87ca23..051aecc5 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -3,13 +3,12 @@ status: experimental description: Detects WannaCry ransomware activity via Sysmon references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: + category: process_creation product: windows - service: sysmon detection: selection1: - EventID: 1 Image: - '*\tasksche.exe' - '*\mssecsvc.exe' @@ -19,11 +18,10 @@ detection: - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive + - '*\diskpart.exe' - '*\linuxnew.exe' - '*\wannacry.exe' selection2: - EventID: 1 CommandLine: - '*vssadmin delete shadows*' - '*icacls * /grant Everyone:F /T /C /Q*' @@ -37,5 +35,3 @@ fields: falsepositives: - Diskpart.exe usage to manage partitions on the local hard drive level: critical - - diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml similarity index 59% rename from rules/windows/builtin/win_mavinject_proc_inj.yml rename to rules/windows/process_creation/win_mavinject_proc_inj.yml index 4b275714..a3da623b 100644 --- a/rules/windows/builtin/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -1,38 +1,24 @@ ---- -action: global -title: MavInject Process Injection -status: experimental -description: Detects process injection using the signed Windows tool Mavinject32.exe -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 -author: Florian Roth -date: 2018/12/12 -tags: - - attack.process_injection - - attack.t1055 - - attack.signed_binary_proxy_execution - - attack.t1218 -detection: - condition: selection -falsepositives: - - unknown -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /INJECTRUNNING *' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /INJECTRUNNING *' +title: MavInject Process Injection +status: experimental +description: Detects process injection using the signed Windows tool Mavinject32.exe +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +author: Florian Roth +date: 2018/12/12 +tags: + - attack.process_injection + - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* /INJECTRUNNING *' + condition: selection +falsepositives: + - unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml similarity index 95% rename from rules/windows/sysmon/sysmon_mshta_spawn_shell.yml rename to rules/windows/process_creation/win_mshta_spawn_shell.yml index ddb298fa..d437e26d 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -5,11 +5,10 @@ references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\mshta.exe' Image: - '*\cmd.exe' @@ -36,4 +35,3 @@ tags: falsepositives: - Printer software / driver installations level: high - diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml similarity index 50% rename from rules/windows/builtin/win_multiple_suspicious_cli.yml rename to rules/windows/process_creation/win_multiple_suspicious_cli.yml index 3065dad2..d4237c78 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -1,4 +1,3 @@ -action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental @@ -6,19 +5,12 @@ references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 modified: 2012/12/11 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log logsource: + category: process_creation product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 - ProcessCommandLine: + CommandLine: - arp.exe - at.exe - attrib.exe @@ -45,7 +37,6 @@ detection: - tracert.exe - wscript.exe - xcopy.exe -# others - pscp.exe - copy.exe - robocopy.exe @@ -60,53 +51,6 @@ detection: - diskpart.exe timeframe: 5m condition: selection | count() by MachineName > 5 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe -# others - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 \ No newline at end of file +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml new file mode 100644 index 00000000..6f45ae18 --- /dev/null +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -0,0 +1,20 @@ +title: Netsh Port Forwarding +description: Detects netsh commands that configure a port forwarding +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - netsh interface portproxy add v4tov4 * + condition: selection +falsepositives: + - Legitimate administration +level: medium diff --git a/rules/windows/builtin/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml similarity index 51% rename from rules/windows/builtin/win_netsh_port_fwd_3389.yml rename to rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 67aff58f..7a62488b 100644 --- a/rules/windows/builtin/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -1,5 +1,3 @@ ---- -action: global title: Netsh RDP Port Forwarding description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP references: @@ -9,27 +7,14 @@ tags: - attack.lateral_movement status: experimental author: Florian Roth +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: + - netsh i* p*=3389 c* condition: selection falsepositives: - Legitimate administration level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'netsh i* p*=3389 c*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'netsh i* p*=3389 c*' diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml new file mode 100644 index 00000000..d9c2f608 --- /dev/null +++ b/rules/windows/process_creation/win_office_shell.yml @@ -0,0 +1,52 @@ +title: Microsoft Office Product Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059 + - attack.t1202 +author: Michael Haag, Florian Roth, Markus Neis +date: 2018/04/06 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\WINWORD.EXE' + - '*\EXCEL.EXE' + - '*\POWERPNT.exe' + - '*\MSPUB.exe' + - '*\VISIO.exe' + - '*\OUTLOOK.EXE' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\scrcons.exe' + - '*\schtasks.exe' + - '*\regsvr32.exe' + - '*\hh.exe' + - '*\wmic.exe' + - '*\mshta.exe' + - '*\rundll32.exe' + - '*\msiexec.exe' + - '*\forfiles.exe' + - '*\scriptrunner.exe' + - '*\mftrace.exe' + - '*\AppVLP.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml new file mode 100644 index 00000000..55b3837d --- /dev/null +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -0,0 +1,88 @@ +title: Executable used by PlugX in Uncommon Location - Sysmon Version +status: experimental +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location +references: + - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ +author: Florian Roth +date: 2017/06/12 +logsource: + category: process_creation + product: windows +detection: + selection_cammute: + Image: '*\CamMute.exe' + filter_cammute: + Image: '*\Lenovo\Communication Utility\\*' + selection_chrome_frame: + Image: '*\chrome_frame_helper.exe' + filter_chrome_frame: + Image: '*\Google\Chrome\application\\*' + selection_devemu: + Image: '*\dvcemumanager.exe' + filter_devemu: + Image: '*\Microsoft Device Emulator\\*' + selection_gadget: + Image: '*\Gadget.exe' + filter_gadget: + Image: '*\Windows Media Player\\*' + selection_hcc: + Image: '*\hcc.exe' + filter_hcc: + Image: '*\HTML Help Workshop\\*' + selection_hkcmd: + Image: '*\hkcmd.exe' + filter_hkcmd: + Image: + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' + selection_mc: + Image: '*\Mc.exe' + filter_mc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + selection_msmpeng: + Image: '*\MsMpEng.exe' + filter_msmpeng: + Image: + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' + selection_msseces: + Image: '*\msseces.exe' + filter_msseces: + Image: '*\Microsoft Security Center\\*' + selection_oinfo: + Image: '*\OInfoP11.exe' + filter_oinfo: + Image: '*\Common Files\Microsoft Shared\\*' + selection_oleview: + Image: '*\OleView.exe' + filter_oleview: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\\*' + selection_rc: + Image: '*\rc.exe' + filter_rc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) + or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc + ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview + and not filter_oleview ) or ( selection_rc and not filter_rc ) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml similarity index 68% rename from rules/windows/builtin/win_possible_applocker_bypass.yml rename to rules/windows/process_creation/win_possible_applocker_bypass.yml index fe92e53e..989053f4 100644 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -1,4 +1,3 @@ -action: global title: Possible Applocker Bypass description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental @@ -8,6 +7,9 @@ references: author: juju4 tags: - attack.defense_evasion +logsource: + category: process_creation + product: windows detection: selection: CommandLine: @@ -19,27 +21,8 @@ detection: - '*\msbuild.exe*' - '*\ieexec.exe*' - '*\mshta.exe*' - # higher risk of false positives -# - '*\cscript.EXE*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Using installutil to add features for .NET applications (primarly would occur in developer environments) level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml similarity index 79% rename from rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml rename to rules/windows/process_creation/win_powershell_amsi_bypass.yml index c78da8db..52ad6725 100644 --- a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -1,4 +1,4 @@ -title: Powershell AMSI Bypass via .NET Reflection +title: Powershell AMSI Bypass via .NET Reflection status: experimental description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning references: @@ -10,18 +10,16 @@ tags: author: Markus Neis date: 2018/08/17 logsource: + category: process_creation product: windows - service: sysmon detection: selection1: - EventID: 1 CommandLine: - '*System.Management.Automation.AmsiUtils*' selection2: CommandLine: - - '*amsiInitFailed*' + - '*amsiInitFailed*' condition: selection1 and selection2 falsepositives: - - Potential Admin Activity + - Potential Admin Activity level: high - diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml new file mode 100644 index 00000000..f23c8cba --- /dev/null +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -0,0 +1,24 @@ +title: PowerShell Base64 Encoded Shellcode +description: Detects Base64 encoded Shellcode +status: experimental +references: + - https://twitter.com/cyb3rops/status/1063072865992523776 +author: Florian Roth +date: 2018/11/17 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: '*AAAAYInlM*' + selection2: + CommandLine: + - '*OiCAAAAYInlM*' + - '*OiJAAAAYInlM*' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml similarity index 90% rename from rules/windows/sysmon/sysmon_powershell_dll_execution.yml rename to rules/windows/process_creation/win_powershell_dll_execution.yml index 940c75a4..be57fb37 100644 --- a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -9,19 +9,16 @@ tags: author: Markus Neis date: 2018/08/25 logsource: + category: process_creation product: windows - service: sysmon detection: selection1: - EventID: 1 Image: - '*\rundll32.exe' selection2: - EventID: 1 Description: - '*Windows-Hostprozess (Rundll32)*' selection3: - EventID: 1 CommandLine: - '*Default.GetString*' - '*FromBase64String*' diff --git a/rules/windows/sysmon/sysmon_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml similarity index 57% rename from rules/windows/sysmon/sysmon_powershell_download.yml rename to rules/windows/process_creation/win_powershell_download.yml index cecd1eab..5b6b88a5 100644 --- a/rules/windows/sysmon/sysmon_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -6,18 +6,16 @@ tags: - attack.t1086 - attack.execution logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\powershell.exe' - CommandLine: + CommandLine: - '*new-object system.net.webclient).downloadstring(*' - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-2---bloodhound - - '*new-object net.webclient).downloadfile(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-3---obfuscation-tests - + - '*new-object net.webclient).downloadstring(*' + - '*new-object net.webclient).downloadfile(*' condition: selection fields: - CommandLine @@ -25,4 +23,3 @@ fields: falsepositives: - unknown level: medium - diff --git a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml b/rules/windows/process_creation/win_powershell_renamed_ps.yml similarity index 95% rename from rules/windows/sysmon/sysmon_powershell_renamed_ps.yml rename to rules/windows/process_creation/win_powershell_renamed_ps.yml index b7f69ef9..1e02fef2 100644 --- a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml +++ b/rules/windows/process_creation/win_powershell_renamed_ps.yml @@ -9,11 +9,10 @@ tags: - attack.execution author: Tom Ueltschi (@c_APT_ure) logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Description: Windows PowerShell exclusion_1: Image: diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml similarity index 96% rename from rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml rename to rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index ed6d68ee..55493e41 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -8,13 +8,12 @@ tags: - attack.t1086 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) logsource: + category: process_creation product: windows - service: sysmon detection: selection: Image: - '*\Powershell.exe' - EventID: 1 CommandLine: - ' -windowstyle h ' - ' -windowstyl h' @@ -34,7 +33,7 @@ detection: - ' -NoPro ' - ' -NoProf ' - ' -NoProfi ' - - ' -NoProfil ' + - ' -NoProfil ' - ' -nonin ' - ' -nonint ' - ' -noninte ' diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml new file mode 100644 index 00000000..42b697d0 --- /dev/null +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -0,0 +1,28 @@ +title: Bitsadmin Download +status: experimental +description: Detects usage of bitsadmin downloading a file +references: + - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin + - https://isc.sans.edu/diary/22264 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 +author: Michael Haag +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\bitsadmin.exe' + CommandLine: + - '/transfer' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Some legitimate apps use this, but limited. +level: medium diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml similarity index 54% rename from rules/windows/builtin/win_psexesvc_start.yml rename to rules/windows/process_creation/win_psexesvc_start.yml index bfd47e75..d71fa288 100644 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -8,14 +8,12 @@ tags: - attack.t1035 - attack.s0029 logsource: + category: process_creation product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 - ProcessCommandLine: 'C:\Windows\PSEXESVC.exe' + ProcessCommandLine: C:\Windows\PSEXESVC.exe condition: selection falsepositives: - Administrative activity -level: low \ No newline at end of file +level: low diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml similarity index 66% rename from rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml rename to rules/windows/process_creation/win_sdbinst_shim_persistence.yml index c822885f..603a9491 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -1,4 +1,4 @@ -title: Possible Shim Database Persistence via sdbinst.exe +title: Possible Shim Database Persistence via sdbinst.exe status: experimental description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* references: @@ -9,16 +9,15 @@ tags: author: Markus Neis date: 2018-08-03 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - Image: - - '*\sdbinst.exe' - CommandLine: - - '*\AppPatch\\*}.sdb*' + Image: + - '*\sdbinst.exe' + CommandLine: + - '*\AppPatch\\*}.sdb*' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml similarity index 96% rename from rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml rename to rules/windows/process_creation/win_shell_spawn_susp_program.yml index cf8698f9..f965486f 100644 --- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -7,11 +7,10 @@ author: Florian Roth date: 2018/04/06 modified: 2019/02/05 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: - '*\mshta.exe' - '*\powershell.exe' @@ -36,4 +35,3 @@ falsepositives: - Administrative scripts - Microsoft SCCM level: high - diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml new file mode 100644 index 00000000..e00eacf5 --- /dev/null +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -0,0 +1,24 @@ +title: Possible SPN Enumeration +description: Detects Service Principal Name Enumeration used for Kerberoasting +status: experimental +references: + - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation +author: Markus Neis, keepwatch +date: 2018/11/14 +tags: + - attack.credential_access + - attack.t1208 +logsource: + category: process_creation + product: windows +detection: + selection_image: + Image: '*\setspn.exe' + selection_desc: + Description: '*Query or reset the computer* SPN attribute*' + cmd: + CommandLine: '*-q*' + condition: (selection_image or selection_desc) and cmd +falsepositives: + - Administrator Activity +level: medium diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml new file mode 100644 index 00000000..e551c086 --- /dev/null +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -0,0 +1,19 @@ +title: Possible Ransomware or unauthorized MBR modifications +status: experimental +description: Detects, possibly, malicious unauthorized usage of bcdedit.exe +references: + - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +author: '@neu5ron' +date: 2019/02/07 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName: '*\fsutil.exe' + ProcessCommandLine: + - '*delete*' + - '*deletevalue*' + - '*import*' + condition: selection +level: medium diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml new file mode 100644 index 00000000..92e8b925 --- /dev/null +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -0,0 +1,23 @@ +title: Suspicious Calculator Usage +description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion +status: experimental +references: + - https://twitter.com/ItsReallyNick/status/1094080242686312448 +author: Florian Roth +date: 2019/02/09 +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + CommandLine: '*\calc.exe *' + selection2: + EventID: 1 + Image: '*\calc.exe' + filter2: + Image: '*\Windows\Sys*' + condition: selection1 or ( selection2 and not filter2 ) +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml similarity index 63% rename from rules/windows/sysmon/sysmon_susp_certutil_command.yml rename to rules/windows/process_creation/win_susp_certutil_command.yml index 749d6f85..9dc779d4 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -1,8 +1,7 @@ ---- -action: global title: Suspicious Certutil Command status: experimental -description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with + the built-in certutil utility author: Florian Roth, juju4, keepwatch modified: 2019/01/22 references: @@ -13,7 +12,26 @@ references: - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' condition: selection fields: - CommandLine @@ -27,48 +45,3 @@ tags: falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* -decode *' - - '* /decode *' - - '* -decodehex *' - - '* /decodehex *' - - '* -urlcache *' - - '* /urlcache *' - - '* -verifyctl *' - - '* /verifyctl *' - - '* -encode *' - - '* /encode *' - - '*certutil* -URL*' - - '*certutil* /URL*' - - '*certutil* -ping*' - - '*certutil* /ping*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* -decode *' - - '* /decode *' - - '* -decodehex *' - - '* /decodehex *' - - '* -urlcache *' - - '* /urlcache *' - - '* -verifyctl *' - - '* /verifyctl *' - - '* -encode *' - - '* /encode *' - - '*certutil* -URL*' - - '*certutil* /URL*' - - '*certutil* -ping*' - - '*certutil* /ping*' diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml new file mode 100644 index 00000000..1b4bfbe0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -0,0 +1,22 @@ +title: Certutil Encode +status: experimental +description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ +author: Florian Roth +date: 2019/02/24 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - certutil -f -encode * + - certutil.exe -f -encode * + - certutil -encode -f * + - certutil.exe -encode -f * + condition: selection +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml new file mode 100644 index 00000000..46f573fc --- /dev/null +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -0,0 +1,27 @@ +title: Suspicious Commandline Escape +description: Detects suspicious process that use escape characters +status: experimental +references: + - https://twitter.com/vysecurity/status/885545634958385153 + - https://twitter.com/Hexacorn/status/885553465417756673 + - https://twitter.com/Hexacorn/status/885570278637678592 + - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html + - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ +author: juju4 +modified: 2018/12/11 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - + - ^h^t^t^p + - h"t"t"p + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml new file mode 100644 index 00000000..9655396a --- /dev/null +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -0,0 +1,23 @@ +title: Command Line Execution with suspicious URL and AppData Strings +status: experimental +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs + > powershell) +references: + - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 + - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - cmd.exe /c *http://*%AppData% + - cmd.exe /c *https://*%AppData% + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - High +level: medium diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml new file mode 100644 index 00000000..c5a639a0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -0,0 +1,42 @@ +title: Reconnaissance Activity with Net Command +status: experimental +description: Detects a set of commands often used in recon stages by different attack groups +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 + - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html +author: Florian Roth, Markus Neis +date: 2018/08/22 +modified: 2018/12/11 +tags: + - attack.discovery + - attack.t1073 + - attack.t1012 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - '*\net1 start' + - qprocess + - nslookup + - hostname.exe + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - netstat -an + timeframe: 15s + condition: selection | count() by CommandLine > 4 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml similarity index 93% rename from rules/windows/sysmon/sysmon_susp_control_dll_load.yml rename to rules/windows/process_creation/win_susp_control_dll_load.yml index f2a069d1..457ba0c4 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -6,11 +6,10 @@ date: 2017/04/15 references: - https://twitter.com/rikvduijn/status/853251879320662017 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\System32\control.exe' CommandLine: '*\rundll32.exe *' filter: diff --git a/rules/windows/sysmon/sysmon_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml similarity index 90% rename from rules/windows/sysmon/sysmon_susp_csc.yml rename to rules/windows/process_creation/win_susp_csc.yml index 8f810531..715ed3ca 100644 --- a/rules/windows/sysmon/sysmon_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -9,17 +9,16 @@ tags: - attack.defense_evasion - attack.t1036 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\csc.exe*' ParentImage: - '*\wscript.exe' - '*\cscript.exe' - '*\mshta.exe' condition: selection -falsepositives: +falsepositives: - Unkown level: high diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml new file mode 100644 index 00000000..6372cec7 --- /dev/null +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -0,0 +1,35 @@ +title: Executables Started in Suspicious Folder +status: experimental +description: Detects process starts of binaries from a suspicious folder +author: Florian Roth +date: 2017/10/14 +modfied: 2019/02/21 +references: + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - C:\PerfLogs\\* + - C:\$Recycle.bin\\* + - C:\Intel\Logs\\* + - C:\Users\Default\\* + - C:\Users\Public\\* + - C:\Users\NetworkService\\* + - C:\Windows\Fonts\\* + - C:\Windows\Debug\\* + - C:\Windows\Media\\* + - C:\Windows\Help\\* + - C:\Windows\addins\\* + - C:\Windows\repair\\* + - C:\Windows\security\\* + - '*\RSA\MachineKeys\\*' + - C:\Windows\system32\config\systemprofile\\* + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml similarity index 86% rename from rules/windows/sysmon/sysmon_susp_execution_path.yml rename to rules/windows/process_creation/win_susp_execution_path.yml index 82d22d4d..4a0f1f5e 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -3,12 +3,11 @@ status: experimental description: Detects a suspicious exection from an uncommon folder author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - Image: + Image: - '*\$Recycle.bin' - '*\Users\All Users\\*' - '*\Users\Default\\*' @@ -17,7 +16,7 @@ detection: - '*\config\systemprofile\\*' - '*\Windows\Fonts\\*' - '*\Windows\IME\\*' - - '*\Windows\addins\\*' + - '*\Windows\addins\\*' condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml similarity index 85% rename from rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml rename to rules/windows/process_creation/win_susp_execution_path_webserver.yml index b50d8960..d687dc46 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -3,17 +3,16 @@ status: experimental description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - Image: + Image: - '*\wwwroot\\*' - '*\wmpub\\*' - - '*\htdocs\\*' + - '*\htdocs\\*' filter: - Image: + Image: - '*bin\\*' - '*\Tools\\*' - '*\SMSComponent\\*' diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml new file mode 100644 index 00000000..c711c47c --- /dev/null +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -0,0 +1,19 @@ +title: Suspicious GUP Usage +description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html +author: Florian Roth +date: 2019/02/06 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\GUP.exe' + filter: + Image: '*\updater\*' + condition: selection and not filter +falsepositives: + - Execution of tools named GUP.exe and located in folders different than Notepad++\updater +level: high diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml similarity index 57% rename from rules/windows/builtin/win_susp_iss_module_install.yml rename to rules/windows/process_creation/win_susp_iss_module_install.yml index 06126553..3bcbcbb7 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -1,5 +1,3 @@ ---- -action: global title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental @@ -10,27 +8,14 @@ modified: 2012/12/11 tags: - attack.persistence - attack.t1100 +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: + - '*\APPCMD.EXE install module /name:*' condition: selection -falsepositives: +falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\APPCMD.EXE install module /name:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\APPCMD.EXE install module /name:*' diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/process_creation/win_susp_mmc_source.yml similarity index 81% rename from rules/windows/sysmon/sysmon_susp_mmc_source.yml rename to rules/windows/process_creation/win_susp_mmc_source.yml index 7cbc0c82..bdadc4dc 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/process_creation/win_susp_mmc_source.yml @@ -1,14 +1,13 @@ -title: Processes created by MMC +title: Processes created by MMC status: experimental -description: Processes started by MMC could be a sign of lateral movement using MMC application COM object +description: Processes started by MMC could be a sign of lateral movement using MMC application COM object references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\mmc.exe' Image: '*\cmd.exe' exclusion: diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml similarity index 55% rename from rules/windows/builtin/win_susp_msiexec_web_install.yml rename to rules/windows/process_creation/win_susp_msiexec_web_install.yml index 3fd59bd0..ec773ad6 100644 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -1,5 +1,3 @@ ---- -action: global title: MsiExec Web Install status: experimental description: Detects suspicious msiexec proess starts with web addreses as parameter @@ -8,27 +6,14 @@ references: author: Florian Roth date: 2018/02/09 modified: 2012/12/11 +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: + - '* msiexec*:\/\/*' condition: selection -falsepositives: +falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* msiexec*:\/\/*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* msiexec*:\/\/*' diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_net_execution.yml rename to rules/windows/process_creation/win_susp_net_execution.yml index c4889af6..fbccb2aa 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -8,13 +8,11 @@ tags: - attack.s0039 - attack.lateral_movement - attack.discovery - logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\net.exe' - '*\net1.exe' diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml similarity index 57% rename from rules/windows/builtin/win_susp_ntdsutil.yml rename to rules/windows/process_creation/win_susp_ntdsutil.yml index 434f2091..72f33a93 100644 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -1,5 +1,3 @@ ---- -action: global title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) status: experimental @@ -9,25 +7,13 @@ author: Thomas Patzke tags: - attack.credential_access - attack.t1003 +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: '*\ntdsutil*' condition: selection -falsepositives: +falsepositives: - NTDS maintenance level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*\ntdsutil*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\ntdsutil*' diff --git a/rules/windows/sysmon/sysmon_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml similarity index 59% rename from rules/windows/sysmon/sysmon_susp_outlook.yml rename to rules/windows/process_creation/win_susp_outlook.yml index 224231b7..619ce7ab 100644 --- a/rules/windows/sysmon/sysmon_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -1,28 +1,25 @@ -title: Suspicious Execution from Outlook -status: experimental -description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook -references: - - https://github.com/sensepost/ruler - - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html -tags: - - attack.execution - - attack.t1059 - - attack.t1202 -author: Markus Neis -date: 2018/12/27 -logsource: - product: windows - service: sysmon -detection: - clientMailRules: - EventID: 1 - CommandLine: '*EnableUnsafeClientMailRules*' # EnableUnsafeClientMailRules used for Script Execution from Outlook - outlookExec: - EventID: 1 - ParentImage: '*\outlook.exe' - CommandLine: '\\\\*\\*.exe' # UNC Path required for Execution - - condition: clientMailRules OR outlookExec -falsepositives: - - unknown -level: high +title: Suspicious Execution from Outlook +status: experimental +description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook +references: + - https://github.com/sensepost/ruler + - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html +tags: + - attack.execution + - attack.t1059 + - attack.t1202 +author: Markus Neis +date: 2018/12/27 +logsource: + category: process_creation + product: windows +detection: + clientMailRules: + CommandLine: '*EnableUnsafeClientMailRules*' + outlookExec: + ParentImage: '*\outlook.exe' + CommandLine: \\\\*\\*.exe + condition: clientMailRules or outlookExec +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml similarity index 93% rename from rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml rename to rules/windows/process_creation/win_susp_ping_hex_ip.yml index 1215805e..3fdeb0b7 100644 --- a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -6,11 +6,10 @@ references: author: Florian Roth date: 2018/03/23 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 CommandLine: - '*\ping.exe 0x*' - '*\ping 0x*' @@ -20,4 +19,3 @@ fields: falsepositives: - Unlikely, because no sane admin pings IP addresses in a hexadecimal form level: high - diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml similarity index 55% rename from rules/windows/builtin/win_susp_powershell_enc_cmd.yml rename to rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 1c4ddec9..b429a77b 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -1,5 +1,3 @@ ---- -action: global title: Suspicious Encoded PowerShell Command Line description: Detects suspicious powershell process starts with base64 encoded commands status: experimental @@ -7,39 +5,22 @@ references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth, Markus Neis date: 2018/09/03 +logsource: + category: process_creation + product: windows detection: selection: CommandLine: - # Command starts with '$' symbol - '* -e JAB*' - '* -enc JAB*' - '* -encodedcommand JAB*' - - '* BA^J e-' # reversed base64 and dosfuscation - - # Google Rapid Response + - '* BA^J e-' falsepositive1: Image: '*\GRR\\*' - # PowerSponse deployments - falsepositive2: + falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' condition: selection and not 1 of falsepositive* -falsepositives: +falsepositives: - GRR powershell hacks - PowerSponse Deployments level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml similarity index 84% rename from rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml rename to rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 39d664d4..a2e93a38 100644 --- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -1,6 +1,6 @@ title: Malicious Base64 encoded PowerShell Keywords in command lines status: experimental -description: Detects base64 encoded strings used in hidden malicious PowerShell command lines +description: Detects base64 encoded strings used in hidden malicious PowerShell command lines references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ tags: @@ -8,74 +8,62 @@ tags: - attack.t1086 author: John Lambert (rule) logsource: + category: process_creation product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: encoded: - EventID: 4688 Image: '*\powershell.exe' CommandLine: '* hidden *' selection: - EventID: 4688 CommandLine: - # bitsadmin transfer - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - # chunk_size - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - '*JGNodW5rX3Npem*' - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - '*RjaHVua19zaXpl*' - '*Y2h1bmtfc2l6Z*' - # IO.Compression - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - '*lPLkNvbXByZXNzaW9u*' - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - '*SU8uQ29tcHJlc3Npb2*' - '*Ty5Db21wcmVzc2lvb*' - # IO.MemoryStream - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - '*lPLk1lbW9yeVN0cmVhb*' - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - '*SU8uTWVtb3J5U3RyZWFt*' - '*Ty5NZW1vcnlTdHJlYW*' - # GetChunk - '*4ARwBlAHQAQwBoAHUAbgBrA*' - '*5HZXRDaHVua*' - '*AEcAZQB0AEMAaAB1AG4Aaw*' - '*LgBHAGUAdABDAGgAdQBuAGsA*' - '*LkdldENodW5r*' - '*R2V0Q2h1bm*' - # THREAD INFO64 - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - '*RIUkVBRF9JTkZPNj*' - '*SFJFQURfSU5GTzY0*' - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - '*VEhSRUFEX0lORk82N*' - # CreateRemoteThread - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - '*cmVhdGVSZW1vdGVUaHJlYW*' - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - # memmove - '*0AZQBtAG0AbwB2AGUA*' - '*1lbW1vdm*' - '*AGUAbQBtAG8AdgBlA*' - '*bQBlAG0AbQBvAHYAZQ*' - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' - + - '*ZW1tb3Zl*' condition: encoded and selection falsepositives: - Penetration tests diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml rename to rules/windows/process_creation/win_susp_powershell_parent_combo.yml index c33ee2f0..26cdf23c 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -8,11 +8,10 @@ tags: - attack.execution - attack.t1086 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: - '*\wscript.exe' - '*\cscript.exe' diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml new file mode 100644 index 00000000..1f6c6ce6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -0,0 +1,28 @@ +title: Suspicious Use of Procdump +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This + way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '* -ma *' + selection2: + CommandLine: + - '* lsass.exe*' + condition: selection1 and selection2 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: medium diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml new file mode 100644 index 00000000..37983faf --- /dev/null +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -0,0 +1,76 @@ +# Sigma rule: rules/windows/builtin/win_susp_process_creations.yml +action: global +title: Suspicious Process Creation +description: Detects suspicious process starts on Windows systems based on keywords +status: experimental +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://twitter.com/subTee/status/872244674609676288 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples + - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html + - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat + - https://twitter.com/vector_sec/status/896049052642533376 + - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf +author: Florian Roth +modified: 2018/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - vssadmin.exe delete shadows* + - vssadmin delete shadows* + - vssadmin create shadow /for=C:* + - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* + - copy \\?\GLOBALROOT\Device\\*\config\SAM* + - reg SAVE HKLM\SYSTEM * + - reg SAVE HKLM\SAM * + - '* sekurlsa:*' + - net localgroup adminstrators * /add + - net group "Domain Admins" * /ADD /DOMAIN + - certutil.exe *-urlcache* http* + - certutil.exe *-urlcache* ftp* + - netsh advfirewall firewall *\AppData\\* + - attrib +S +H +R *\AppData\\* + - schtasks* /create *\AppData\\* + - schtasks* /sc minute* + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - icacls * /grant Everyone:F /T /C /Q + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + - '*\fodhelper.exe' + - '*waitfor*/s*' + - '*waitfor*/si persist*' + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + - '*AddInProcess*' + - '* /stext *' + - '* /scomma *' + - '* /stab *' + - '* /stabular *' + - '* /shtml *' + - '* /sverhtml *' + - '* /sxml *' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml similarity index 81% rename from rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml rename to rules/windows/process_creation/win_susp_prog_location_process_starts.yml index b8d3f7ad..b3f8f107 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -6,13 +6,11 @@ references: author: Florian Roth date: 2019/01/15 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - Image: - # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows + Image: - '*\$Recycle.bin' - '*\Users\Public\\*' - 'C:\Perflogs\\*' diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml new file mode 100644 index 00000000..60371431 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -0,0 +1,20 @@ +title: PowerShell Script Run in AppData +status: experimental +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +references: + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +author: Florian Roth +date: 2019/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' + condition: selection +falsepositives: + - Administrative scripts +level: medium diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml new file mode 100644 index 00000000..39c9648e --- /dev/null +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -0,0 +1,17 @@ +title: Suspicious RASdial Activity +description: Detects suspicious process related to rasdial.exe +status: experimental +references: + - https://twitter.com/subTee/status/891298217907830785 +author: juju4 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - rasdial + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml similarity index 80% rename from rules/windows/sysmon/sysmon_susp_recon_activity.yml rename to rules/windows/process_creation/win_susp_recon_activity.yml index 00f385f4..d9bd4489 100644 --- a/rules/windows/sysmon/sysmon_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -3,14 +3,13 @@ status: experimental description: Detects suspicious command line activity on Windows systems author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 CommandLine: - - 'net group "domain admins" /domain' - - 'net localgroup administrators' + - net group "domain admins" /domain + - net localgroup administrators condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml similarity index 65% rename from rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml rename to rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 778d147e..3e838bab 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -9,35 +9,24 @@ tags: - attack.defense_evasion - attack.execution logsource: + category: process_creation product: windows - service: sysmon detection: - # Loads from Temp folder selection1: - EventID: 1 Image: '*\regsvr32.exe' CommandLine: '*\Temp\\*' - # Loaded by powershell selection2: - EventID: 1 Image: '*\regsvr32.exe' ParentImage: '*\powershell.exe' - # Regsvr32.exe used with http(s) address selection3: - EventID: 1 Image: '*\regsvr32.exe' - CommandLine: + CommandLine: - '*/i:http* scrobj.dll' - '*/i:ftp* scrobj.dll' - # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet - # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 selection4: - EventID: 1 Image: '*\wscript.exe' ParentImage: '*\regsvr32.exe' - # https://twitter.com/danielhbohannon/status/974321840385531904 selection5: - EventID: 1 Image: '*\EXCEL.EXE' CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' condition: 1 of them @@ -47,5 +36,3 @@ fields: falsepositives: - Unknown level: high - - diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml similarity index 61% rename from rules/windows/builtin/win_susp_run_locations.yml rename to rules/windows/process_creation/win_susp_run_locations.yml index 8426baa3..495933f5 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -1,4 +1,3 @@ -action: global title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental @@ -8,6 +7,9 @@ author: juju4 tags: - attack.defense_evasion - attack.t1036 +logsource: + category: process_creation + product: windows detection: selection: CommandLine: @@ -16,23 +18,6 @@ detection: - '%windir%\Tasks\\*' - '%systemroot%\debug\\*' condition: selection -falsepositives: +falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml similarity index 74% rename from rules/windows/builtin/win_susp_rundll32_activity.yml rename to rules/windows/process_creation/win_susp_rundll32_activity.yml index 872f4055..573ef823 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -1,4 +1,3 @@ -action: global title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental @@ -11,10 +10,12 @@ tags: - attack.execution - attack.t1085 author: juju4 +logsource: + category: process_creation + product: windows detection: selection: CommandLine: - # match with or without rundll32.exe to try to catch evasion - '*\rundll32.exe* url.dll,*OpenURL *' - '*\rundll32.exe* url.dll,*OpenURLA *' - '*\rundll32.exe* url.dll,*FileProtocolHandler *' @@ -31,21 +32,4 @@ detection: condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 level: medium diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml similarity index 87% rename from rules/windows/sysmon/sysmon_susp_schtask_creation.yml rename to rules/windows/process_creation/win_susp_schtask_creation.yml index 3855cb81..f9b0f1f4 100644 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -1,17 +1,16 @@ title: Scheduled Task Creation status: experimental -description: Detects the creation of scheduled tasks in user session +description: Detects the creation of scheduled tasks in user session author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\schtasks.exe' CommandLine: '* /create *' filter: - User: 'NT AUTHORITY\SYSTEM' + User: NT AUTHORITY\SYSTEM condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml similarity index 94% rename from rules/windows/sysmon/sysmon_susp_script_execution.yml rename to rules/windows/process_creation/win_susp_script_execution.yml index 0f76b136..8896aae0 100644 --- a/rules/windows/sysmon/sysmon_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -3,11 +3,10 @@ status: experimental description: Detects suspicious file execution by wscript and cscript author: Michael Haag logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\wscript.exe' - '*\cscript.exe' diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml similarity index 78% rename from rules/windows/sysmon/sysmon_susp_svchost.yml rename to rules/windows/process_creation/win_susp_svchost.yml index da69e381..ec4477b3 100644 --- a/rules/windows/sysmon/sysmon_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -1,17 +1,16 @@ title: Suspicious Svchost Process status: experimental -description: Detects a suspicious svchost process start +description: Detects a suspicious svchost process start author: Florian Roth date: 2017/08/15 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: '*\svchost.exe' filter: - ParentImage: + ParentImage: - '*\services.exe' - '*\MsMpEng.exe' condition: selection and not filter diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml similarity index 56% rename from rules/windows/builtin/win_susp_sysprep_appdata.yml rename to rules/windows/process_creation/win_susp_sysprep_appdata.yml index 76b23885..89351243 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -1,5 +1,3 @@ ---- -action: global title: Sysprep on AppData Folder status: experimental description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) @@ -9,29 +7,15 @@ references: author: Florian Roth date: 2018/06/22 modified: 2018/12/11 +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: + - '*\sysprep.exe *\AppData\\*' + - sysprep.exe *\AppData\\* condition: selection -falsepositives: +falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\sysprep.exe *\AppData\\*' - - 'sysprep.exe *\AppData\\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\sysprep.exe *\AppData\\*' - - 'sysprep.exe *\AppData\\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml similarity index 54% rename from rules/windows/builtin/win_susp_sysvol_access.yml rename to rules/windows/process_creation/win_susp_sysvol_access.yml index f3b128dd..97c51d2c 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -1,36 +1,22 @@ ---- -action: global -title: Suspicious SYSVOL Domain Group Policy Access -status: experimental -description: Detects Access to Domain Group Policies stored in SYSVOL -references: - - https://adsecurity.org/?p=2288 - - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis -date: 2018/04/09 -modified: 2018/12/11 -tags: - - attack.credential_access - - attack.t1003 -detection: - condition: selection -falsepositives: - - administrative activity -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*\SYSVOL\\*\policies\\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\SYSVOL\\*\policies\\*' +title: Suspicious SYSVOL Domain Group Policy Access +status: experimental +description: Detects Access to Domain Group Policies stored in SYSVOL +references: + - https://adsecurity.org/?p=2288 + - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 +author: Markus Neis +date: 2018/04/09 +modified: 2018/12/11 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*\SYSVOL\\*\policies\\*' + condition: selection +falsepositives: + - administrative activity +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml similarity index 81% rename from rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml rename to rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 9cf16279..eb38f977 100644 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -4,12 +4,11 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS author: Florian Roth date: 2018/03/18 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' + User: NT AUTHORITY\SYSTEM Image: '*\taskmgr.exe' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml similarity index 79% rename from rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml rename to rules/windows/process_creation/win_susp_taskmgr_parent.yml index b01239bb..bcf4e2b2 100644 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -4,16 +4,15 @@ description: Detects the creation of a process from Windows task manager author: Florian Roth date: 2018/03/13 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: '*\taskmgr.exe' filter: - Image: - - 'resmon.exe' - - 'mmc.exe' + Image: + - resmon.exe + - mmc.exe condition: selection and not filter fields: - Image diff --git a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml similarity index 76% rename from rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml rename to rules/windows/process_creation/win_susp_tscon_localsystem.yml index d700b932..da626dc6 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -1,18 +1,17 @@ title: Suspicious TSCON Start status: experimental -description: Detects a tscon.exe start as LOCAL SYSTEM -references: +description: Detects a tscon.exe start as LOCAL SYSTEM +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' + User: NT AUTHORITY\SYSTEM Image: '*\tscon.exe' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml similarity index 59% rename from rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml rename to rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index ec7b0788..071be9fd 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -1,33 +1,19 @@ ---- -action: global title: Suspicious RDP Redirect Using TSCON status: experimental description: Detects a suspicious RDP session redirect using tscon.exe -references: +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 modified: 2018/12/11 +logsource: + category: process_creation + product: windows detection: + selection: + CommandLine: '* /dest:rdp-tcp:*' condition: selection falsepositives: - Unknown level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /dest:rdp-tcp:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /dest:rdp-tcp:*' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml similarity index 77% rename from rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml rename to rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index de2c0c71..27105caf 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -1,6 +1,6 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental -description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ @@ -8,29 +8,26 @@ references: - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +tags: + - attack.credential_access + - attack.t1003 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 CommandLine: - # Ransomware - - 'vssadmin.exe Delete Shadows' - # Hacking + - vssadmin.exe Delete Shadows - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\\*\config\SAM' + - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit + - copy \\?\GLOBALROOT\Device\\*\config\SAM - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' - - 'esentutl.exe /y /vss *\ntds.dit*' + - esentutl.exe /y /vss *\ntds.dit* condition: selection fields: - CommandLine - ParentCommandLine -tags: - - attack.credential_access - - attack.t1003 falsepositives: - Administrative activity level: high diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml new file mode 100644 index 00000000..ac983d97 --- /dev/null +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -0,0 +1,22 @@ +title: Whoami Execution +status: experimental +description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 +author: Florian Roth +date: 2018/05/22 +tags: + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: whoami + condition: selection +falsepositives: + - Admin activity + - Scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml similarity index 96% rename from rules/windows/sysmon/sysmon_susp_wmi_execution.yml rename to rules/windows/process_creation/win_susp_wmi_execution.yml index d0fb1e5c..852f644b 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -7,11 +7,10 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ author: Michael Haag, Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\wmic.exe' CommandLine: diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml similarity index 93% rename from rules/windows/sysmon/sysmon_system_exe_anomaly.yml rename to rules/windows/process_creation/win_system_exe_anomaly.yml index 92f73844..2f81cc4a 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -6,11 +6,10 @@ references: author: Florian Roth date: 2017/11/27 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\svchost.exe' - '*\rundll32.exe' @@ -23,7 +22,7 @@ detection: - '*\csrss.exe' - '*\conhost.exe' filter: - Image: + Image: - '*\System32\\*' - '*\SysWow64\\*' condition: selection and not filter @@ -32,4 +31,3 @@ tags: falsepositives: - Exotic software level: high - diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml similarity index 93% rename from rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml rename to rules/windows/process_creation/win_vul_java_remote_debugging.yml index a3288802..03ec6b5b 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -2,11 +2,10 @@ title: Java Running with Remote Debugging description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 CommandLine: '*transport=dt_socket,address=*' exclusion: - CommandLine: '*address=127.0.0.1*' diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml similarity index 62% rename from rules/windows/sysmon/sysmon_webshell_detection.yml rename to rules/windows/process_creation/win_webshell_detection.yml index be67266e..f70280b0 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -2,23 +2,22 @@ title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' + - '*\apache*' + - '*\tomcat*' + - '*\w3wp.exe' + - '*\php-cgi.exe' + - '*\nginx.exe' + - '*\httpd.exe' CommandLine: - - 'whoami' - - 'net user' - - 'ping -n' - - 'systeminfo' + - whoami + - net user + - ping -n + - systeminfo condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml similarity index 95% rename from rules/windows/sysmon/sysmon_webshell_spawn.yml rename to rules/windows/process_creation/win_webshell_spawn.yml index d9faf6c8..9cc4ca33 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -3,11 +3,10 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: - '*\w3wp.exe' - '*\httpd.exe' diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml new file mode 100644 index 00000000..4d484bf2 --- /dev/null +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -0,0 +1,22 @@ +title: WMI Persistence - Script Event Consumer +status: experimental +description: Detects WMI script event consumers +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +author: Thomas Patzke +date: 2018/03/07 +tags: + - attack.execution + - attack.persistence + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: C:\WINDOWS\system32\wbem\scrcons.exe + ParentImage: C:\Windows\System32\svchost.exe + condition: selection +falsepositives: + - Legitimate event consumers +level: high diff --git a/rules/windows/sysmon/sysmon_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml similarity index 87% rename from rules/windows/sysmon/sysmon_workflow_compiler.yml rename to rules/windows/process_creation/win_workflow_compiler.yml index 433464ec..ede0a761 100644 --- a/rules/windows/sysmon/sysmon_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -8,12 +8,10 @@ author: Nik Seetharaman references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb logsource: + category: process_creation product: windows - service: sysmon detection: - # Description contains MWC even if file has been renamed. selection: - EventID: 1 Image: '*\Microsoft.Workflow.Compiler.exe' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml deleted file mode 100644 index 170b71d0..00000000 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Bitsadmin Download -status: experimental -description: Detects usage of bitsadmin downloading a file -references: - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - - https://isc.sans.edu/diary/22264 -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 - - attack.s0190 -author: Michael Haag -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\bitsadmin.exe' - CommandLine: - - '/transfer' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Some legitimate apps use this, but limited. -level: medium diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml deleted file mode 100644 index dce5d9e8..00000000 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ /dev/null @@ -1,53 +0,0 @@ -title: Microsoft Office Product Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle -tags: - - attack.execution - - attack.defense_evasion - - attack.t1059 - - attack.t1202 -author: Michael Haag, Florian Roth, Markus Neis -date: 2018/04/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' # see https://www.hybrid-analysis.com/sample/b409538c99f99b94a5035d9fa44a506b41be0feb23e89b7e4d272ba791aa6002?environmentId=100 - - '*\regsvr32.exe' # see https://twitter.com/subTee/status/899283365647458305 - - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 - - '*\wmic.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\mshta.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\rundll32.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\msiexec.exe' # see https://twitter.com/DissectMalware/status/984252467474026497 - - '*\forfiles.exe' # see https://twitter.com/danielhbohannon/status/896057910123347969?lang=en - - '*\scriptrunner.exe' # see https://twitter.com/KyleHanslovan/status/914800377580503040 - - '*\mftrace.exe' # see https://github.com/api0cradle/LOLBAS/blob/763d0b115cd702780ca042a8beb6ee684ef7823f/OtherMSBinaries/Mftrace.md - - '*\AppVLP.exe' # see https://twitter.com/moo_hax/status/892388990686347264 - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml deleted file mode 100644 index 6a2416dc..00000000 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,147 +0,0 @@ -title: Executable used by PlugX in Uncommon Location - Sysmon Version -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -logsource: - product: windows - service: sysmon -detection: - - # CamMute - selection_cammute: - EventID: 1 - Image: '*\CamMute.exe' - filter_cammute: - EventID: 1 - Image: '*\Lenovo\Communication Utility\\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 1 - Image: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 1 - Image: '*\Google\Chrome\application\\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 1 - Image: '*\dvcemumanager.exe' - filter_devemu: - EventID: 1 - Image: '*\Microsoft Device Emulator\\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 1 - Image: '*\Gadget.exe' - filter_gadget: - EventID: 1 - Image: '*\Windows Media Player\\*' - - # HTML Help Workshop - selection_hcc: - EventID: 1 - Image: '*\hcc.exe' - filter_hcc: - EventID: 1 - Image: '*\HTML Help Workshop\\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 1 - Image: '*\hkcmd.exe' - filter_hkcmd: - EventID: 1 - Image: - - '*\System32\\*' - - '*\SysNative\\*' - - '*\SysWowo64\\*' - - # McAfee component - selection_mc: - EventID: 1 - Image: '*\Mc.exe' - filter_mc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 1 - Image: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 1 - Image: - - '*\Microsoft Security Client\\*' - - '*\Windows Defender\\*' - - '*\AntiMalware\\*' - - # Microsoft Security Center - selection_msseces: - EventID: 1 - Image: '*\msseces.exe' - filter_msseces: - EventID: 1 - Image: '*\Microsoft Security Center\\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 1 - Image: '*\OInfoP11.exe' - filter_oinfo: - EventID: 1 - Image: '*\Common Files\Microsoft Shared\\*' - - # OLE View - selection_oleview: - EventID: 1 - Image: '*\OleView.exe' - filter_oleview: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - # RC - selection_rc: - EventID: 1 - Image: '*\rc.exe' - filter_rc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - '*\Microsoft.NET\\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml deleted file mode 100644 index f8ef570a..00000000 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Command Line Execution with suspicious URL and AppData Strings -status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -references: - - 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100' - - 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100' -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'cmd.exe /c *http://*%AppData%' - - 'cmd.exe /c *https://*%AppData%' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - High -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml deleted file mode 100644 index d8f0c6aa..00000000 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -action: global -title: Executables Started in Suspicious Folder -status: experimental -description: Detects process starts of binaries from a suspicious folder -author: Florian Roth -date: 2017/10/14 -modfied: 2019/02/21 -references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -falsepositives: - - Unknown -level: high -detection: - condition: selection ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - 'C:\PerfLogs\\*' - - 'C:\$Recycle.bin\\*' - - 'C:\Intel\Logs\\*' - - 'C:\Users\Default\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\NetworkService\\*' - - 'C:\Windows\Fonts\\*' - - 'C:\Windows\Debug\\*' - - 'C:\Windows\Media\\*' - - 'C:\Windows\Help\\*' - - 'C:\Windows\addins\\*' - - 'C:\Windows\repair\\*' - - 'C:\Windows\security\\*' - - '*\RSA\MachineKeys\\*' - - 'C:\Windows\system32\config\systemprofile\\*' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: - - 'C:\PerfLogs\\*' - - 'C:\$Recycle.bin\\*' - - 'C:\Intel\Logs\\*' - - 'C:\Users\Default\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\NetworkService\\*' - - 'C:\Windows\Fonts\\*' - - 'C:\Windows\Debug\\*' - - 'C:\Windows\Media\\*' - - 'C:\Windows\Help\\*' - - 'C:\Windows\addins\\*' - - 'C:\Windows\repair\\*' - - 'C:\Windows\security\\*' - - '*\RSA\MachineKeys\\*' - - 'C:\Windows\system32\config\systemprofile\\*' - - diff --git a/tests/config-multiple_mapping-2.yml b/tests/config-multiple_mapping-2.yml new file mode 100644 index 00000000..6f98fd4e --- /dev/null +++ b/tests/config-multiple_mapping-2.yml @@ -0,0 +1,7 @@ +fieldmappings: + event_id: + - event_id + - eventid + subject_account_name: + EventID=1234: san + EventID=4624: subject_accountname diff --git a/tests/config-multiple_mapping.yml b/tests/config-multiple_mapping.yml new file mode 100644 index 00000000..c6294431 --- /dev/null +++ b/tests/config-multiple_mapping.yml @@ -0,0 +1,5 @@ +fieldmappings: + EventID: + - event_id + - EventID + SubjectAccountName: subject_account_name diff --git a/tests/mapping-conditional-multi.yml b/tests/mapping-conditional-multi.yml new file mode 100644 index 00000000..1eca3e10 --- /dev/null +++ b/tests/mapping-conditional-multi.yml @@ -0,0 +1,15 @@ +title: Contional mapping with multiple targets +status: test +description: Logpoint configuration causes conditional mapping with multiple results +author: Thomas Patzke +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + SubjectAccountName: Test + condition: selection +fields: + - EventID + - SubjectAccountName diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index c485831a..38262525 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -77,9 +77,11 @@ fieldmappings: ObjectType: event_data.ObjectType ObjectValueName: event_data.ObjectValueName ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName ParentImage: event_data.ParentImage Path: event_data.Path PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine ProcessName: event_data.ProcessName Properties: event_data.Properties ServiceFileName: event_data.ServiceFileName diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml new file mode 100644 index 00000000..327d5a03 --- /dev/null +++ b/tools/config/generic/sysmon.yml @@ -0,0 +1,9 @@ +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml new file mode 100644 index 00000000..45afec69 --- /dev/null +++ b/tools/config/generic/windows-audit.yml @@ -0,0 +1,13 @@ +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security +fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + CommandLine: ProcessCommandLine diff --git a/tools/config/splunk-windows-all-index.yml b/tools/config/splunk-windows-all-index.yml new file mode 100644 index 00000000..60f05f0e --- /dev/null +++ b/tools/config/splunk-windows-all-index.yml @@ -0,0 +1,6 @@ +logsources: + windows: + product: windows + index: windows +fieldmappings: + EventID: EventCode diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 2b6cab3c..8e2682d6 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -51,7 +51,7 @@ class BaseBackend: passing the object instance to it. """ super().__init__() - if not isinstance(sigmaconfig, (sigma.configuration.SigmaConfiguration, None)): + if not isinstance(sigmaconfig, (sigma.configuration.SigmaConfiguration, sigma.configuration.SigmaConfigurationChain, None)): raise TypeError("SigmaConfiguration object expected") self.backend_options = backend_options self.sigmaconfig = sigmaconfig diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py index ca186814..df7e515d 100644 --- a/tools/sigma/backends/wdatp.py +++ b/tools/sigma/backends/wdatp.py @@ -126,12 +126,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): def generate(self, sigmaparser): self.table = None try: - self.product = sigmaparser.parsedyaml['logsource']['product'] - self.service = sigmaparser.parsedyaml['logsource']['service'] + self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None) + self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None) + self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None) except KeyError: + self.category = None self.product = None self.service = None + if (self.category, self.product, self.service) == ("process_creation", "windows", None): + self.table = "ProcessCreationEvents" + return super().generate(sigmaparser) def generateBefore(self, parsed): diff --git a/tools/sigma/config/exceptions.py b/tools/sigma/config/exceptions.py index 31d2b812..cafdff8d 100644 --- a/tools/sigma/config/exceptions.py +++ b/tools/sigma/config/exceptions.py @@ -17,5 +17,8 @@ class SigmaConfigParseError(Exception): pass +class FieldMappingError(SigmaConfigParseError): + pass + class SigmaRuleFilterParseException(Exception): pass diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index f5829cd3..8cbaf2e0 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -14,8 +14,8 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -from sigma.parser.condition import ConditionOR -from .exceptions import SigmaConfigParseError +from sigma.parser.condition import ConditionOR, NodeSubexpression +from .exceptions import SigmaConfigParseError, FieldMappingError # Field Mapping Definitions def FieldMapping(source, target=None): @@ -47,6 +47,9 @@ class SimpleFieldMapping: def resolve_fieldname(self, fieldname): return self.target + def __str__(self): # pragma: no cover + return "SimpleFieldMapping: {} -> {}".format(self.source, self.target) + class MultiFieldMapping(SimpleFieldMapping): """1:n field mapping that expands target field names into OR conditions""" target_type = list @@ -56,10 +59,10 @@ class MultiFieldMapping(SimpleFieldMapping): cond = ConditionOR() for fieldname in self.target: cond.add((fieldname, value)) - return cond + return NodeSubexpression(cond) - def resolve_fieldname(self, fieldname): - return self.target + def __str__(self): # pragma: no cover + return "MultiFieldMapping: {} -> [{}]".format(self.source, ", ".join(self.target)) class ConditionalFieldMapping(SimpleFieldMapping): """ @@ -122,7 +125,7 @@ class ConditionalFieldMapping(SimpleFieldMapping): cond = ConditionOR() for target in targets: cond.add((target, value)) - return cond + return NodeSubexpression(cond) else: # no mapping found return (key, value) @@ -131,3 +134,87 @@ class ConditionalFieldMapping(SimpleFieldMapping): return self.default else: return fieldname + + def __str__(self): # pragma: no cover + return "ConditionalFieldMapping: {} -> {}".format(self.source, self.target) + +# Field mappimg chain +class FieldMappingChain(object): + """ + Chain of field mappings and fields used for calculation of a field mapping in chained conversion + configurations. + + A chain of field mappings may fan out, as one field can map into multiple target fields and these + must be propagated further. As the whole chain must be completed at configuration parse time, a + restriction applies to conditional field mappings. These are calculated at rule conversion time and + therefore it is not possible to decide further mappings after conditionals and these may only appear + in the last configuration. This case could be solved by calculation of field mappings at rule conversion + time, but it is not considered as important enough to be implemented at this time. + """ + def __init__(self, fieldname): + """Initialize field mapping chain with given field name.""" + self.fieldmappings = set([fieldname]) + + def append(self, config): + """Propagate current possible field mappings with field mapping from configuration""" + if ConditionalFieldMapping in { type(fieldmapping) for fieldmapping in self.fieldmappings }: # conditional field mapping appeared before, abort. + raise FieldMappingError("Conditional field mappings are only allowed in last configuration if configurations are chained.") + + fieldmappings = set() + if type(self.fieldmappings) == str: + current_fieldmappings = {self.fieldmappings} + else: + current_fieldmappings = self.fieldmappings + + for fieldname in current_fieldmappings: + mapping = config.get_fieldmapping(fieldname) + if type(mapping) in (SimpleFieldMapping, MultiFieldMapping): + resolved_mapping = mapping.resolve_fieldname(fieldname) + if type(resolved_mapping) is list: + fieldmappings.update(resolved_mapping) + else: + fieldmappings.add(resolved_mapping) + elif type(mapping) == ConditionalFieldMapping: + fieldmappings.add(mapping) + else: + raise TypeError("Type '{}' is not supported by FieldMappingChain".format(str(type(mapping)))) + + if len(fieldmappings) == 1: + self.fieldmappings = fieldmappings.pop() + else: + self.fieldmappings = fieldmappings + + def resolve(self, key, value, sigmaparser): + if type(self.fieldmappings) == str: # one field mapping + return (self.fieldmappings, value) + elif isinstance(self.fieldmappings, SimpleFieldMapping): + return self.fieldmappings.resolve(key, value, sigmaparser) + elif type(self.fieldmappings) == set: + cond = ConditionOR() + for mapping in self.fieldmappings: + if type(mapping) == str: + cond.add((mapping, value)) + elif isinstance(mapping, SimpleFieldMapping): + cond.add(mapping.resolve(key, value, sigmaparser)) + return NodeSubexpression(cond) + + def resolve_fieldname(self, fieldname): + if type(self.fieldmappings) == str: # one field mapping + return self.fieldmappings + elif isinstance(self.fieldmappings, SimpleFieldMapping): + return self.fieldmappings.resolve_fieldname(fieldname) + elif type(self.fieldmappings) == set: + mappings = set() + for mapping in self.fieldmappings: + if type(mapping) == str: + mappings.add(mapping) + elif isinstance(mapping, SimpleFieldMapping): + resolved_mapping = mapping.resolve_fieldname(fieldname) + if type(resolved_mapping) is list: + mappings.update(resolved_mapping) + else: + mappings.add(resolved_mapping) + return list(mappings) + + def __str__(self): # pragma: no cover + return "FieldMappingChain: {}".format(self.fieldmappings) diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 47e0290b..8e46c87c 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -17,7 +17,67 @@ import yaml from sigma.parser.condition import ConditionAND, ConditionOR from sigma.config.exceptions import SigmaConfigParseError -from sigma.config.mapping import FieldMapping +from sigma.config.mapping import FieldMapping, FieldMappingChain + +# Chain of multiple configurations +class SigmaConfigurationChain(list): + """ + Chain of SigmaConfiguration objects. Behaves like a list of Sigma configuration objects on the one side and + like a SigmaConfiguration object on the other. All methods are applied to the given parameters in the order + of addition of the configurations. + """ + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.backend = None + self.defaultindex = None + self.config = dict() + self.fieldmappings = dict() + self.logsources = dict() + + for config in self: + self.postprocess_config(config) + + def append(self, config): + super().append(config) + self.postprocess_config(config) + + def postprocess_config(self, config): + self.defaultindex = config.defaultindex + self.config.update(config.config) + self.fieldmappings.update(config.fieldmappings) + self.logsources.update(config.logsources) + + def get_fieldmapping(self, fieldname): + """Return mapped fieldname by iterative application of each config stored in configuration chain.""" + if self: + fieldmappings = FieldMappingChain(fieldname) + for config in self: + fieldmappings.append(config) + return fieldmappings + else: + return FieldMapping(fieldname) + + def get_logsource(self, category, product, service): + """Return merged log source definition of all logosurces that match criteria across all Sigma conversion configurations in chain.""" + matching = list() + for config in self: + for logsource in config.logsources: + if logsource.matches(category, product, service): + matching.append(logsource) + if logsource.rewrite is not None: + category, product, service = logsource.rewrite + return SigmaLogsourceConfiguration(matching, self.defaultindex) + + def set_backend(self, backend): + """Set backend for all sigma conversion configurations in chain.""" + self.backend = backend + for config in self: + config.set_backend(backend) + + def get_indexfield(self): + """Get index condition if index field name is configured""" + if self.backend is not None: + return self.backend.index_field # Configuration class SigmaConfiguration: @@ -27,7 +87,6 @@ class SigmaConfiguration: self.config = None self.fieldmappings = dict() self.logsources = dict() - self.logsourcemerging = SigmaLogsourceConfiguration.MM_AND self.defaultindex = None self.backend = None else: @@ -43,11 +102,6 @@ class SigmaConfiguration: if type(self.fieldmappings) != dict: raise SigmaConfigParseError("Fieldmappings must be a map") - try: - self.logsourcemerging = config['logsourcemerging'] - except KeyError: - self.logsourcemerging = SigmaLogsourceConfiguration.MM_AND - try: self.defaultindex = config['defaultindex'] except KeyError: @@ -77,32 +131,40 @@ class SigmaConfiguration: if type(logsources) != dict: raise SigmaConfigParseError("Logsources must be a map") for name, logsource in logsources.items(): - self.logsources.append(SigmaLogsourceConfiguration(logsource, self.defaultindex, name, self.logsourcemerging, self.get_indexfield())) + self.logsources.append(SigmaLogsourceConfiguration(logsource, self.defaultindex)) def get_indexfield(self): """Get index condition if index field name is configured""" - if self.backend != None: + if self.backend is not None: return self.backend.index_field class SigmaLogsourceConfiguration: """Contains the definition of a log source""" - MM_AND = "and" # Merge all conditions with AND - MM_OR = "or" # Merge all conditions with OR - - def __init__(self, logsource=None, defaultindex=None, name=None, mergemethod=MM_AND, indexfield=None): - self.name = name - self.indexfield = indexfield + def __init__(self, logsource=None, defaultindex=None): if logsource == None: # create empty object + self.merged = False self.category = None self.product = None self.service = None self.index = list() - self.conditions = None - elif type(logsource) == list and all([isinstance(o, SigmaLogsourceConfiguration) for o in logsource]): # list of SigmaLogsourceConfigurations: merge according to mergemethod + self.conditions = list() # a list of (field, value) tuples which are OR-linked in the generated query. May also contain such a list as list element (in case of merged log sources) + self.rewrite = None + elif type(logsource) == list and all([isinstance(o, SigmaLogsourceConfiguration) for o in logsource]): # list of SigmaLogsourceConfigurations: merge + self.merged = True + if any([ ls.merged for ls in logsource ]): # Ensure that already merged objects are not merged again + raise TypeError("Nested merging of SigmaLogsourceConfiguration objects is not allowed") + rewrites = { ls.rewrite for ls in logsource if ls.rewrite is not None } + if len(rewrites) > 1: + raise ValueError("More than one matching log source contains a rewrite part") + elif len(rewrites) == 1: + self.rewrite = rewrites.pop() + else: + self.rewrite = None + # Merge category, product and service - categories = set([ ls.category for ls in logsource if ls.category != None ]) - products = set([ ls.product for ls in logsource if ls.product != None ]) - services = set([ ls.service for ls in logsource if ls.service != None]) + categories = { ls.category for ls in logsource if ls.category is not None } + products = { ls.product for ls in logsource if ls.product is not None } + services = { ls.service for ls in logsource if ls.service is not None } if len(categories) > 1 or len(products) > 1 or len(services) > 1: raise ValueError("Merged SigmaLogsourceConfigurations must have disjunct categories (%s), products (%s) and services (%s)" % (str(categories), str(products), str(services))) @@ -129,28 +191,9 @@ class SigmaLogsourceConfiguration: else: raise TypeError("Default index must be string or list of strings") - # "merge" index field (should never differ between instances because it is provided by backend class - indexfields = [ ls.indexfield for ls in logsource if ls.indexfield != None ] - try: - self.indexfield = indexfields[0] - except IndexError: - self.indexfield = None - - # Merge conditions according to mergemethod - if mergemethod == self.MM_AND: - cond = ConditionAND() - elif mergemethod == self.MM_OR: - cond = ConditionOR() - else: - raise ValueError("Mergemethod must be '%s' or '%s'" % (self.MM_AND, self.MM_OR)) - for ls in logsource: - if ls.conditions != None: - cond.add(ls.conditions) - if len(cond) > 0: - self.conditions = cond - else: - self.conditions = None + self.conditions = [ ls.conditions for ls in logsource if ls.conditions ] # build list of list of (field, value) tuples as base for merged query condition. elif type(logsource) == dict: # create logsource configuration from parsed yaml + self.merged = False if 'category' in logsource and type(logsource['category']) != str \ or 'product' in logsource and type(logsource['product']) != str \ or 'service' in logsource and type(logsource['service']) != str: @@ -170,6 +213,18 @@ class SigmaLogsourceConfiguration: if self.category == None and self.product == None and self.service == None: raise SigmaConfigParseError("Log source definition will not match") + try: + if type(logsource['rewrite']) is not dict: + raise SigmaConfigParseError("Rewrite rule must be a map") + rewrite = logsource['rewrite'] + if not { 'category', 'product', 'service' }.issuperset(rewrite.keys()): + raise SigmaConfigParseError("Rewrite rule in log source configuration may only contain the keys 'category', 'product' and 'service'") + if { str } != { type(value) for value in rewrite.values() }: + raise SigmaConfigParseError("Rewrite rule values may only contain strings") + self.rewrite = tuple((rewrite.get(key) for key in ( 'category', 'product', 'service' ))) # build a (category, product, service) tuple from dict + except KeyError: + self.rewrite = None + if 'index' in logsource: index = logsource['index'] if type(index) not in (str, list): @@ -186,15 +241,12 @@ class SigmaLogsourceConfiguration: # from a merge, where default index handling applies. self.index = [] - if 'conditions' in logsource: + try: if type(logsource['conditions']) != dict: raise SigmaConfigParseError("Logsource conditions must be a map") - cond = ConditionAND() - for key, value in logsource['conditions'].items(): - cond.add((key, value)) - self.conditions = cond - else: - self.conditions = None + self.conditions = [ (field, value) for field, value in logsource['conditions'].items() ] # build list of (field, value) tuples as base for query condition + except KeyError: + self.conditions = list() else: raise SigmaConfigParseError("Logsource definitions must be maps") @@ -211,15 +263,5 @@ class SigmaLogsourceConfiguration: if searched: return True - def get_indexcond(self): - """Get index condition if index field name is configured""" - cond = ConditionOR() - if self.indexfield: - for index in self.index: - cond.add((self.indexfield, index)) - return cond - else: - return None - - def __str__(self): + def __str__(self): # pragma: no cover return "[ LogSourceConfiguration: %s %s %s indices: %s ]" % (self.category, self.product, self.service, str(self.index)) diff --git a/tools/sigma/parser/base.py b/tools/sigma/parser/base.py index 6f9f2f98..1ba304e4 100644 --- a/tools/sigma/parser/base.py +++ b/tools/sigma/parser/base.py @@ -63,5 +63,5 @@ class SimpleParser: if self.state not in self.finalstates: raise SigmaParseError("Unexpected end of aggregation expression, state=%d" % (self.state)) - def __str__(self): + def __str__(self): # pragma: no cover return "[ Parsed: %s ]" % (" ".join(["%s=%s" % (key, val) for key, val in self.__dict__.items() ])) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index ef697e90..32238dda 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -97,7 +97,7 @@ class SigmaConditionToken: else: raise NotImplementedError("SigmaConditionToken can only be compared against token type constants") - def __str__(self): + def __str__(self): # pragma: no cover return "[ Token: %s: '%s' ]" % (self.tokenstr[self.type], self.matched) class SigmaConditionTokenizer: @@ -144,7 +144,7 @@ class SigmaConditionTokenizer: else: raise TypeError("SigmaConditionTokenizer constructor expects string or list, got %s" % (type(condition))) - def __str__(self): + def __str__(self): # pragma: no cover return " ".join([str(token) for token in self.tokens]) def __iter__(self): @@ -178,7 +178,7 @@ class ParseTreeNode: def __init__(self): raise NotImplementedError("ConditionBase is no usable class") - def __str__(self): + def __str__(self): # pragma: no cover return "[ %s: %s ]" % (self.__doc__, str([str(item) for item in self.items])) class ConditionBase(ParseTreeNode): @@ -529,31 +529,22 @@ class SigmaConditionParser: if len(tokens) != 1: # parse tree must begin with exactly one node raise ValueError("Parse tree must have exactly one start node!") - querycond = tokens[0] + query_cond = tokens[0] - logsource = self.sigmaParser.get_logsource() - if logsource != None: - # 4. Integrate conditions from configuration - if logsource.conditions != None: - cond = ConditionAND() - cond.add(logsource.conditions) - cond.add(querycond) - querycond = cond + # 4. Integrate conditions from logsources in configurations + ls_cond = self.sigmaParser.get_logsource_condition() + if ls_cond is not None: + cond = ConditionAND() + cond.add(ls_cond) + cond.add(query_cond) + query_cond = cond - # 5. Integrate index conditions if applicable for backend - indexcond = logsource.get_indexcond() - if indexcond != None: - cond = ConditionAND() - cond.add(indexcond) - cond.add(querycond) - querycond = cond + return self._optimizer.optimizeTree(query_cond) - return self._optimizer.optimizeTree(querycond) - - def __str__(self): + def __str__(self): # pragma: no cover return str(self.parsedSearch) - def __len__(self): + def __len__(self): # pragma: no cover return len(self.parsedSearch) # Aggregation parser diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 56556240..b285420c 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -129,3 +129,38 @@ class SigmaParser: service = None return self.config.get_logsource(category, product, service) + + def get_logsource_condition(self): + logsource = self.get_logsource() + if logsource is None: + return None + else: + if logsource.merged: # Merged log source, flatten nested list of condition items + kvconds = [ item for sublscond in logsource.conditions for item in sublscond ] + else: # Simple log sources already contain flat list of conditions items + kvconds = logsource.conditions + + # Apply field mappings + mapped_kvconds = list() + for field, value in kvconds: + mapping = self.config.get_fieldmapping(field) + mapped_kvconds.append(mapping.resolve(field, value, self)) + + # AND-link condition items + cond = ConditionAND() + for kvcond in mapped_kvconds: + cond.add(kvcond) + + # Add index condition if supported by backend and defined in log source + index_field = self.config.get_indexfield() + indices = logsource.index + if len(indices) > 0 and index_field is not None: # at least one index given and backend knows about indices in conditions + if len(indices) > 1: # More than one index, search in all by ORing them together + index_cond = ConditionOR() + for index in indices: + index_cond.add((index_field, index)) + cond.add(index_cond) + else: # only one index, add directly to AND from above + cond.add((index_field, indices[0])) + + return cond diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma new file mode 100755 index 00000000..0d5d6cb1 --- /dev/null +++ b/tools/sigma2genericsigma @@ -0,0 +1,229 @@ +#!/usr/bin/env python3 +# Convert Sigma rules with EventIDs to rules with generic log sources + +from argparse import ArgumentParser +import yaml +import sys +from pathlib import Path + +class Output(object): + """Output base class""" + def write(self, *args, **kwargs): + self.f.write(*args, **kwargs) + +class SingleFileOutput(Output): + """Output into single file with multiple YAML documents. Each input file is announced with comment.""" + def __init__(self, name): + self.f = open(name, "x") + self.path = None + self.first = True + + def new_output(self, path): + """Announce new Sigma rule as input and start new YAML document.""" + if self.path is None or self.path != path: + if self.first: + self.first = False + else: + self.f.write("---\n") + self.path = path + self.f.write("# Sigma rule: {}\n".format(path)) + + def finish(self): + self.f.close() + +class StdoutOutput(SingleFileOutput): + """Like SingleFileOutput, just for standard output""" + def __init__(self): + self.f = sys.stdout + self.path = None + self.first = True + + def finish(self): + pass + +class DirectoryOutput(Output): + """Output each input file into a corresponding output file in target directory.""" + def __init__(self, dirpath): + self.d = dirpath + self.f = None + self.path = None + self.opened = None + + def new_output(self, path): + if self.path is None or self.path != path: + if self.f is not None: + self.f.close() + self.path = path + self.opened = False # opening file is deferred to first write + + def write(self, *args, **kwargs): + if not self.opened: + self.f = (self.d / self.path.name).open("x") + super().write(*args, **kwargs) + + def finish(self): + if self.f is not None: + self.f.close() + +def get_output(output): + if output is None: + return StdoutOutput() + + path = Path(output) + if path.is_dir(): + return DirectoryOutput(path) + else: + return SingleFileOutput(output) + +class SigmaYAMLDumper(yaml.Dumper): + """YAML dumper that increases amount of indentation, e.g. for lists""" + def increase_indent(self, flow=False, indentless=False): + return super().increase_indent(flow, False) + +class AmbiguousRuleException(TypeError): + def __init__(self, ids): + super().__init__() + self.ids = ids + + def __str__(self): + return(", ".join([str(eid) for eid in self.ids])) + +def convert_to_generic(yamldoc): + changed = False + try: + product = yamldoc["logsource"]["product"] + service = yamldoc["logsource"]["service"] + except KeyError: + return False + + if product == "windows" and service in ("sysmon", "security"): + # Currently, only Windows Security or Sysmon are relevant + eventids = set() + for name, detection in yamldoc["detection"].items(): # first collect all event ids + if name == "condition" or type(detection) is not dict: + continue + + try: + eventid = detection["EventID"] + try: # expect that EventID attribute contains a list + eventids.update(eventid) + except TypeError: # if this fails, it's a plain value + eventids.add(eventid) + except KeyError: # No EventID attribute + pass + + if 1 in eventids and service == "sysmon" or \ + 4688 in eventids and service == "security": + if len(eventids) == 1: # only convert if one EventID collected, else it gets complicated + # remove all EventID definitions + empty_name = list() + for name, detection in yamldoc["detection"].items(): + if name == "condition" or type(detection) is not dict: + continue + try: + del detection["EventID"] + except KeyError: + pass + + if detection == {}: # detection was reduced to nothing - remove it later + empty_name.append(name) + + for name in empty_name: # delete empty detections + del yamldoc["detection"][name] + + if yamldoc["detection"] == {}: # delete detection section if empty + del yamldoc["detection"] + + # rewrite log source + yamldoc["logsource"] = { + "category": "process_creation", + "product": "windows" + } + + changed = True + else: # raise an exception to print a warning message to make user aware about the issue + raise AmbiguousRuleException(eventids) + return changed + +def get_input_paths(args): + if args.recursive: + return [ p for pathname in args.sigma for p in Path(pathname).glob("**/*") if p.is_file() ] + else: + return [ Path(sigma) for sigma in args.sigma ] + +argparser = ArgumentParser(description="Convert between classical and generic log source Sigma rules.") +argparser.add_argument("--output", "-o", help="Output file or directory. Default: standard output.") +argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory") +argparser.add_argument("--converted-list", "-c", help="Write list of rule files that were successfully converted (default: stdout)") +argparser.add_argument("sigma", nargs="+", help="Sigma rule file(s) that should be converted") +args = argparser.parse_args() + +# Define order-preserving representer from dicts/maps +def yaml_preserve_order(self, dict_data): + return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) + +yaml.add_representer(dict, yaml_preserve_order) + +input_paths = get_input_paths(args) +output = get_output(args.output) +if args.converted_list: + fconv = open(args.converted_list, "w") +else: + fconv = sys.stdout + +for path in input_paths: + try: + f = path.open("r") + except OSError as e: + print("Error while reading Sigma rule {}: {}".format(path, str(e)), file=sys.stderr) + sys.exit(1) + + try: + yamldocs = list(yaml.safe_load_all(f)) + except yaml.YAMLError as e: + print("YAML parse error while parsing Sigma rule {}: {}".format(path, str(e)), file=sys.stderr) + sys.exit(2) + + yamldoc_num = 0 + changed = False + for yamldoc in yamldocs: + yamldoc_num += 1 + output.new_output(path) + try: + changed |= convert_to_generic(yamldoc) + except AmbiguousRuleException as e: + changed = False + print("Rule {} in file {} contains multiple EventIDs: {}".format(yamldoc_num, str(path), str(e)), file=sys.stderr) + + yamldocs_idx = list(zip(range(len(yamldocs)), yamldocs)) + delete = set() + for i, yamldoc_a in yamldocs_idx: # iterate over all yaml document pairs + for j, yamldoc_b in yamldocs_idx: + if j <= i: # symmetric relation, skip same comparisons + continue + if yamldoc_a == yamldoc_b: + delete.add(j) + + for i in reversed(sorted(delete)): # delete double yaml documents + del yamldocs[i] + + # Common special case: two yaml docs, one global and one remainder of multiple following docs - merge them + try: + if len(yamldocs) == 2 and \ + yamldocs[0]["action"] == "global" and \ + "action" not in yamldocs[1] and \ + set(yamldocs[0].keys()) & set(yamldocs[1].keys()) == set(): # last condition: no common keys + yamldocs[0].update(yamldocs[1]) + del yamldocs[1] + except KeyError: + pass + + if changed: # only write output if changed + try: + output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, indent=4, width=160, default_flow_style=False)) + print(path, file=fconv) + except OSError as e: + print("Error while writing result: {}".format(str(e)), file=sys.stderr) + sys.exit(2) + +output.finish() diff --git a/tools/sigmac b/tools/sigmac index 0d8e0a02..1030d2fa 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -24,7 +24,7 @@ import itertools import logging from sigma.parser.collection import SigmaCollectionParser from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError -from sigma.configuration import SigmaConfiguration +from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain from sigma.config.exceptions import SigmaConfigParseError, SigmaRuleFilterParseException from sigma.filter import SigmaRuleFilter import sigma.backends.discovery as backends @@ -40,7 +40,7 @@ def print_verbose(*args, **kwargs): if cmdargs.verbose or cmdargs.debug: print(*args, **kwargs) -def print_debug(*args, **kwargs): +def print_debug(*args, **kwargs): # pragme: no cover if cmdargs.debug: print(*args, **kwargs) @@ -87,7 +87,7 @@ Multiple log source specifications are AND linked. """) argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats") -argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment") +argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned") @@ -97,7 +97,7 @@ argparser.add_argument("--debug", "-D", action="store_true", help="Debugging out argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)") cmdargs = argparser.parse_args() -if cmdargs.debug: +if cmdargs.debug: # pragma: no cover logger.setLevel(logging.DEBUG) if cmdargs.target_list: @@ -117,24 +117,25 @@ if cmdargs.filter: print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr) sys.exit(9) -sigmaconfig = SigmaConfiguration() +sigmaconfigs = SigmaConfigurationChain() if cmdargs.config: - try: - conffile = cmdargs.config - f = open(conffile) - sigmaconfig = SigmaConfiguration(f) - except OSError as e: - print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr) - exit(5) - except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: - print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr) - exit(6) - except SigmaConfigParseError as e: - print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr) - exit(7) + for conffile in cmdargs.config: + try: + f = open(conffile) + sigmaconfig = SigmaConfiguration(f) + sigmaconfigs.append(sigmaconfig) + except OSError as e: + print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr) + exit(5) + except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: + print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr) + exit(6) + except SigmaConfigParseError as e: + print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr) + exit(7) backend_options = BackendOptions(cmdargs.backend_option) -backend = backends.getBackend(cmdargs.target)(sigmaconfig, backend_options) +backend = backends.getBackend(cmdargs.target)(sigmaconfigs, backend_options) filename = cmdargs.output if filename: try: @@ -153,7 +154,7 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): f = sigmafile else: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfig, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) results = parser.generate(backend) for result in results: print(result, file=out)