From 4231fe2efcbfa94cc77b04d302e8dba9b43f0cb7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 10:23:30 +0200 Subject: [PATCH 1/2] fix: remove duplicate rules in sysmon (generic rule cleanup) --- .../sysmon/sysmon_apt_oceanlotus_registry.yml | 36 ------ rules/windows/sysmon/sysmon_apt_pandemic.yml | 41 ------ .../sysmon_asep_reg_keys_modification.yml | 34 ----- .../sysmon/sysmon_creation_system_file.yml | 57 --------- .../sysmon/sysmon_cred_dump_lsass_access.yml | 57 --------- .../sysmon_cred_dump_tools_dropped_files.yml | 51 -------- .../windows/sysmon/sysmon_dhcp_calloutdll.yml | 28 ----- ...y_events_logging_adding_reg_key_minint.yml | 33 ----- .../sysmon_dns_serverlevelplugindll.yml | 40 ------ .../sysmon/sysmon_ghostpack_safetykatz.yml | 23 ---- rules/windows/sysmon/sysmon_hack_dumpert.yml | 36 ------ rules/windows/sysmon/sysmon_hack_wce.yml | 38 ------ .../sysmon_in_memory_assembly_execution.yml | 47 ------- .../sysmon/sysmon_in_memory_powershell.yml | 36 ------ .../windows/sysmon/sysmon_invoke_phantom.yml | 27 ---- rules/windows/sysmon/sysmon_lsass_memdump.yml | 28 ----- ...sysmon_lsass_memory_dump_file_creation.yml | 28 ----- .../sysmon_malware_backconnect_ports.yml | 99 --------------- .../sysmon_malware_verclsid_shellcode.yml | 32 ----- .../sysmon_mimikatz_inmemory_detection.yml | 45 ------- .../sysmon/sysmon_mimikatz_trough_winrm.yml | 28 ----- .../sysmon_narrator_feedback_persistance.yml | 28 ----- ..._dll_added_to_appcertdlls_registry_key.yml | 35 ------ ...dll_added_to_appinit_dlls_registry_key.yml | 37 ------ .../sysmon_notepad_network_connection.yml | 25 ---- ..._service_registry_permissions_weakness.yml | 33 ----- ...sysmon_powershell_execution_moduleload.yml | 30 ----- .../sysmon_powershell_exploit_scripts.yml | 119 ------------------ .../sysmon_powershell_network_connection.yml | 47 ------- .../sysmon/sysmon_quarkspw_filedump.yml | 25 ---- .../sysmon_rdp_registry_modification.yml | 31 ----- .../sysmon/sysmon_rdp_reverse_tunnel.yml | 30 ----- .../sysmon/sysmon_rdp_settings_hijack.yml | 23 ---- ...ysmon_registry_persistence_key_linking.yml | 25 ---- ...smon_registry_persistence_search_order.yml | 30 ----- ...mon_registry_trust_record_modification.yml | 25 ---- ...smon_remote_powershell_session_network.yml | 27 ---- .../sysmon_rundll32_net_connections.yml | 46 ------- .../sysmon/sysmon_ssp_added_lsa_config.yml | 28 ----- .../sysmon/sysmon_stickykey_like_backdoor.yml | 50 -------- .../sysmon/sysmon_susp_adsi_cache_usage.yml | 30 ----- .../sysmon/sysmon_susp_desktop_ini.yml | 28 ----- .../sysmon/sysmon_susp_download_run_key.yml | 27 ---- .../sysmon/sysmon_susp_driver_load.yml | 20 --- .../windows/sysmon/sysmon_susp_image_load.yml | 27 ---- ...n_susp_office_dotnet_assembly_dll_load.yml | 29 ----- ...sysmon_susp_office_dotnet_clr_dll_load.yml | 29 ----- ...sysmon_susp_office_dotnet_gac_dll_load.yml | 29 ----- .../sysmon_susp_office_dsparse_dll_load.yml | 29 ----- .../sysmon_susp_office_kerberos_dll_load.yml | 29 ----- ...cexplorer_driver_created_in_tmp_folder.yml | 29 ----- ..._susp_prog_location_network_connection.yml | 32 ----- rules/windows/sysmon/sysmon_susp_rdp.yml | 45 ------- .../sysmon_susp_reg_persist_explorer_run.yml | 36 ------ .../sysmon/sysmon_susp_run_key_img_folder.yml | 38 ------ .../sysmon/sysmon_susp_service_installed.yml | 34 ----- .../sysmon_susp_winword_vbadll_load.yml | 31 ----- .../sysmon_susp_winword_wmidll_load.yml | 34 ----- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 64 ---------- ...sysmon_suspicious_keyboard_layout_load.yml | 28 ----- ...uspicious_outbound_kerberos_connection.yml | 31 ----- ...sysmon_svchost_dll_search_order_hijack.yml | 35 ------ .../sysmon_sysinternals_eula_accepted.yml | 30 ----- .../sysmon_tsclient_filewrite_startup.yml | 18 --- .../sysmon/sysmon_uac_bypass_eventvwr.yml | 34 ----- .../sysmon/sysmon_uac_bypass_sdclt.yml | 26 ---- ...ysmon_unsigned_image_loaded_into_lsass.yml | 25 ---- .../sysmon_webshell_creation_detect.yml | 48 ------- .../sysmon/sysmon_win_binary_github_com.yml | 28 ----- .../sysmon/sysmon_win_binary_susp_com.yml | 29 ----- .../sysmon/sysmon_win_reg_persistence.yml | 29 ----- .../windows/sysmon/sysmon_wmi_module_load.yml | 49 -------- ...persistence_commandline_event_consumer.yml | 24 ---- ...ersistence_script_event_consumer_write.yml | 23 ---- 74 files changed, 2615 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml delete mode 100755 rules/windows/sysmon/sysmon_apt_pandemic.yml delete mode 100644 rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml delete mode 100644 rules/windows/sysmon/sysmon_creation_system_file.yml delete mode 100644 rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml delete mode 100644 rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml delete mode 100644 rules/windows/sysmon/sysmon_dhcp_calloutdll.yml delete mode 100644 rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml delete mode 100644 rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml delete mode 100644 rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml delete mode 100644 rules/windows/sysmon/sysmon_hack_dumpert.yml delete mode 100644 rules/windows/sysmon/sysmon_hack_wce.yml delete mode 100644 rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_in_memory_powershell.yml delete mode 100644 rules/windows/sysmon/sysmon_invoke_phantom.yml delete mode 100644 rules/windows/sysmon/sysmon_lsass_memdump.yml delete mode 100644 rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml delete mode 100644 rules/windows/sysmon/sysmon_malware_backconnect_ports.yml delete mode 100644 rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml delete mode 100644 rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml delete mode 100644 rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml delete mode 100644 rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml delete mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml delete mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml delete mode 100644 rules/windows/sysmon/sysmon_notepad_network_connection.yml delete mode 100644 rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_network_connection.yml delete mode 100644 rules/windows/sysmon/sysmon_quarkspw_filedump.yml delete mode 100644 rules/windows/sysmon/sysmon_rdp_registry_modification.yml delete mode 100644 rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml delete mode 100644 rules/windows/sysmon/sysmon_rdp_settings_hijack.yml delete mode 100644 rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml delete mode 100644 rules/windows/sysmon/sysmon_registry_persistence_search_order.yml delete mode 100644 rules/windows/sysmon/sysmon_registry_trust_record_modification.yml delete mode 100644 rules/windows/sysmon/sysmon_remote_powershell_session_network.yml delete mode 100644 rules/windows/sysmon/sysmon_rundll32_net_connections.yml delete mode 100644 rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml delete mode 100644 rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_adsi_cache_usage.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_desktop_ini.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_download_run_key.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_driver_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_image_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_rdp.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_service_installed.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml delete mode 100644 rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml delete mode 100644 rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml delete mode 100644 rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml delete mode 100644 rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml delete mode 100644 rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml delete mode 100644 rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml delete mode 100644 rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml delete mode 100644 rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml delete mode 100644 rules/windows/sysmon/sysmon_webshell_creation_detect.yml delete mode 100644 rules/windows/sysmon/sysmon_win_binary_github_com.yml delete mode 100644 rules/windows/sysmon/sysmon_win_binary_susp_com.yml delete mode 100644 rules/windows/sysmon/sysmon_win_reg_persistence.yml delete mode 100644 rules/windows/sysmon/sysmon_wmi_module_load.yml delete mode 100644 rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml delete mode 100644 rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml diff --git a/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml b/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml deleted file mode 100644 index 6b8cfe86..00000000 --- a/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: OceanLotus Registry Activity -id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4 -status: experimental -description: Detects registry keys created in OceanLotus (also known as APT32) attacks -references: - - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ -tags: - - attack.t1112 -author: megan201296 -date: 2019/04/14 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: - - 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - # covers HKU\* and HKLM.. - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' - # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*' - # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*' - # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*' - condition: selection -falsepositives: - - Unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_apt_pandemic.yml b/rules/windows/sysmon/sysmon_apt_pandemic.yml deleted file mode 100755 index 7360e5e2..00000000 --- a/rules/windows/sysmon/sysmon_apt_pandemic.yml +++ /dev/null @@ -1,41 +0,0 @@ -action: global -title: Pandemic Registry Key -id: 47e0852a-cf81-4494-a8e6-31864f8c86ed -status: experimental -description: Detects Pandemic Windows Implant -references: - - https://wikileaks.org/vault7/#Pandemic - - https://twitter.com/MalwareJake/status/870349480356454401 -tags: - - attack.lateral_movement - - attack.t1105 -author: Florian Roth -date: 2017/06/01 -detection: - condition: 1 of them -fields: - - EventID - - CommandLine - - ParentCommandLine - - Image - - User - - TargetObject -falsepositives: - - unknown -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 13 - TargetObject: - - 'HKLM\SYSTEM\CurrentControlSet\services\null\Instance*' ---- -logsource: - category: process_creation - product: windows -detection: - selection2: - Command: 'loaddll -a *' diff --git a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml deleted file mode 100644 index 72f08c5e..00000000 --- a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Autorun Keys Modification -id: 17f878b8-9968-4578-b814-c4217fc5768c -description: Detects modification of autostart extensibility point (ASEP) in registry -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml -tags: - - attack.persistence - - attack.t1060 - - attack.t1547.001 -date: 2019/10/21 -modified: 2019/11/10 -author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject|contains: - - '\software\Microsoft\Windows\CurrentVersion\Run' - - '\software\Microsoft\Windows\CurrentVersion\RunOnce' - - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\software\Microsoft\Windows\CurrentVersion\RunServices' - - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' - - '\software\Microsoft\Windows NT\CurrentVersion\Windows' - - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' - condition: selection -falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - - Legitimate administrator sets up autorun keys for legitimate reason -level: medium diff --git a/rules/windows/sysmon/sysmon_creation_system_file.yml b/rules/windows/sysmon/sysmon_creation_system_file.yml deleted file mode 100644 index 9f8143c8..00000000 --- a/rules/windows/sysmon/sysmon_creation_system_file.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: File Created with System Process Name -id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d -status: experimental -description: Detects the creation of a executable with a sytem process name in a suspicious folder -references: - - https://attack.mitre.org/techniques/T1036/ -author: Sander Wiebing -date: 2020/05/26 -tags: - - attack.defense_evasion - - attack.t1036 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename|endswith: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\runtimebroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' - filter: - TargetFilename: - - 'C:\Windows\System32\\*' - - 'C:\Windows\system32\\*' - - 'C:\Windows\SysWow64\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\winsxs\\*' - - 'C:\Windows\WinSxS\\*' - - '\SystemRoot\System32\\*' - condition: selection and not filter -fields: - - Image -falsepositives: - - System processes copied outside the default folder -level: high diff --git a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml b/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml deleted file mode 100644 index 5e05ea71..00000000 --- a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Credentials Dumping Tools Accessing LSASS Memory -id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d -status: experimental -description: Detects process access LSASS memory which is typical for credentials dumping tools -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) -date: 2017/02/16 -modified: 2019/11/08 -references: - - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -tags: - - attack.t1003 - - attack.s0002 - - attack.credential_access - - car.2019-04-004 - - attack.t1003.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage|endswith: '\lsass.exe' - GrantedAccess|contains: - - '0x40' - - '0x1000' - - '0x1400' - - '0x100000' - - '0x1410' # car.2019-04-004 - - '0x1010' # car.2019-04-004 - - '0x1438' # car.2019-04-004 - - '0x143a' # car.2019-04-004 - - '0x1418' # car.2019-04-004 - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - filter: - ProcessName|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts - - '\wmiprvse.exe' - - '\taskmgr.exe' - - '\procexp64.exe' - - '\procexp.exe' - - '\lsm.exe' - - '\csrss.exe' - - '\wininit.exe' - - '\vmtoolsd.exe' - condition: selection and not filter -fields: - - ComputerName - - User - - SourceImage -falsepositives: - - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it -level: high diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml deleted file mode 100644 index 6a76bfa6..00000000 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: Cred Dump Tools Dropped Files -id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 -description: Files with well-known filenames (parts of credential dump software or files produced by them) creation -author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2019/11/13 -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.002 - - attack.t1003.001 - - attack.t1003.003 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename|contains: - - '\pwdump' - - '\kirbi' - - '\pwhashes' - - '\wce_ccache' - - '\wce_krbtkts' - - '\fgdump-log' - TargetFilename|endswith: - - '\test.pwd' - - '\lsremora64.dll' - - '\lsremora.dll' - - '\fgexec.exe' - - '\wceaux.dll' - - '\SAM.out' - - '\SECURITY.out' - - '\SYSTEM.out' - - '\NTDS.out' - - '\DumpExt.dll' - - '\DumpSvc.exe' - - '\cachedump64.exe' - - '\cachedump.exe' - - '\pstgdump.exe' - - '\servpw.exe' - - '\servpw64.exe' - - '\pwdump.exe' - - '\procdump64.exe' - condition: selection -falsepositives: - - Legitimate Administrator using tool for password recovery -level: high -status: experimental diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml deleted file mode 100644 index 0375f267..00000000 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: DHCP Callout DLL Installation -id: 9d3436ef-9476-4c43-acca-90ce06bdf33a -status: experimental -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -references: - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -date: 2017/05/15 -author: Dimitrios Slamaris -tags: - - attack.defense_evasion - - attack.t1073 - - attack.t1112 - - attack.t1574.002 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: - - '*\Services\DHCPServer\Parameters\CalloutDlls' - - '*\Services\DHCPServer\Parameters\CalloutEnabled' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml deleted file mode 100644 index bf53e1c8..00000000 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Disable Security Events Logging Adding Reg Key MiniNt -id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 -status: experimental -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. -references: - - https://twitter.com/0gtweet/status/1182516740955226112 -tags: - - attack.defense_evasion - - attack.t1089 - - attack.t1562.001 -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2019/11/13 -logsource: - product: windows - service: sysmon -detection: - selection: - - EventID: 12 # key create - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - EventType: 'CreateKey' # we don't want deletekey - - EventID: 14 # key rename - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: selection -fields: - - EventID - - Image - - TargetObject - - NewName -falsepositives: - - Unkown -level: high diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml deleted file mode 100644 index 7abb9ced..00000000 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ /dev/null @@ -1,40 +0,0 @@ -action: global -title: DNS ServerLevelPluginDll Install -id: e61e8a88-59a9-451c-874e-70fcc9740d67 -status: experimental -description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server - (restart required) -references: - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -date: 2017/05/08 -author: Florian Roth -tags: - - attack.defense_evasion - - attack.t1073 -detection: - condition: 1 of them -fields: - - EventID - - CommandLine - - ParentCommandLine - - Image - - User - - TargetObject -falsepositives: - - unknown -level: high ---- -logsource: - product: windows - service: sysmon -detection: - dnsregmod: - EventID: 13 - TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' ---- -logsource: - category: process_creation - product: windows -detection: - dnsadmin: - CommandLine: 'dnscmd.exe /config /serverlevelplugindll *' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml deleted file mode 100644 index 1dc20497..00000000 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Detection of SafetyKatz -id: e074832a-eada-4fd7-94a1-10642b130e16 -status: experimental -description: Detects possible SafetyKatz Behaviour -references: - - https://github.com/GhostPack/SafetyKatz -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -author: Markus Neis -date: 2018/07/24 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename: '*\Temp\debug.bin' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml deleted file mode 100644 index 443c8bf3..00000000 --- a/rules/windows/sysmon/sysmon_hack_dumpert.yml +++ /dev/null @@ -1,36 +0,0 @@ -action: global -title: Dumpert Process Dumper -id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory -author: Florian Roth -references: - - https://github.com/outflanknl/Dumpert - - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ -date: 2020/02/04 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -logsource: - product: windows - service: sysmon -falsepositives: - - Very unlikely -level: critical ---- -logsource: - category: process_creation - product: windows -detection: - selection: - Imphash: '09D278F9DE118EF09163C6140255C690' - condition: selection ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename: C:\Windows\Temp\dumpert.dmp - condition: selection \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_hack_wce.yml b/rules/windows/sysmon/sysmon_hack_wce.yml deleted file mode 100644 index 43fb3a47..00000000 --- a/rules/windows/sysmon/sysmon_hack_wce.yml +++ /dev/null @@ -1,38 +0,0 @@ -action: global -title: Windows Credential Editor -id: 7aa7009a-28b9-4344-8c1f-159489a390df -description: Detects the use of Windows Credential Editor (WCE) -author: Florian Roth -references: - - https://www.ampliasecurity.com/research/windows-credentials-editor/ -date: 2019/12/31 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1558 - - attack.s0005 -falsepositives: - - 'Another service that uses a single -s command line switch' -level: critical ---- -logsource: - category: process_creation - product: windows -detection: - selection1: - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - selection2: - CommandLine|endswith: '.exe -S' - ParentImage|endswith: '\services.exe' - condition: 1 of them ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject|contains: Services\WCESERVICE\Start - condition: selection diff --git a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml deleted file mode 100644 index d5e77adb..00000000 --- a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml +++ /dev/null @@ -1,47 +0,0 @@ -title: Suspicious In-Memory Module Execution -id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity - C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" - as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such - few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain - routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. -status: experimental -date: 2019/10/27 -author: Perez Diego (@darkquassar), oscd.community -references: - - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ -tags: - - attack.privilege_escalation - - attack.t1055 -logsource: - product: windows - service: sysmon -detection: - selection_01: - EventID: 10 - CallTrace: - - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)" - - "*UNKNOWN(*)|UNKNOWN(*)" - selection_02: - EventID: 10 - CallTrace: "*UNKNOWN*" - granted_access: - GrantedAccess: - - "0x1F0FFF" - - "0x1F1FFF" - - "0x143A" - - "0x1410" - - "0x1010" - - "0x1F2FFF" - - "0x1F3FFF" - - "0x1FFFFF" - condition: selection_01 OR (selection_02 AND granted_access) -fields: - - ComputerName - - User - - SourceImage - - TargetImage - - CallTrace -level: critical -falsepositives: - - Low diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml deleted file mode 100644 index 55b1f058..00000000 --- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: In-memory PowerShell -id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f -status: experimental -description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community -date: 2019/11/14 -modified: 2019/11/30 -references: - - https://adsecurity.org/?p=2921 - - https://github.com/p3nt4/PowerShdll -tags: - - attack.t1086 - - attack.execution - - attack.t1059.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - ImageLoaded|endswith: - - '\System.Management.Automation.Dll' - - '\System.Management.Automation.ni.Dll' - filter: - Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' - - '\WINDOWS\System32\sdiagnhost.exe' - # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM - condition: selection and not filter -falsepositives: - - Used by some .NET binaries, minimal on user workstation. -level: high -enrichment: - - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - - EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml deleted file mode 100644 index 9dda2195..00000000 --- a/rules/windows/sysmon/sysmon_invoke_phantom.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspect Svchost Memory Asccess -id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde -status: experimental -description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. -author: Tim Burrell -date: 2020/01/02 -references: - - https://github.com/hlldz/Invoke-Phant0m - - https://twitter.com/timbmsft/status/900724491076214784 -tags: - - attack.t1089 - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: '*\windows\system32\svchost.exe' - GrantedAccess: '0x1f3fff' - CallTrace: - - '*unknown*' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/sysmon/sysmon_lsass_memdump.yml deleted file mode 100644 index 2a59dc1a..00000000 --- a/rules/windows/sysmon/sysmon_lsass_memdump.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: LSASS Memory Dump -id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: experimental -description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 -author: Samir Bousseaden -date: 2019/04/03 -references: - - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -tags: - - attack.t1003 - - attack.s0002 - - attack.credential_access - - attack.t1003.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' - GrantedAccess: '0x1fffff' - CallTrace: - - '*dbghelp.dll*' - - '*dbgcore.dll*' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml deleted file mode 100644 index f5d8963f..00000000 --- a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: LSASS Memory Dump File Creation -id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a -description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified -author: Teymur Kheirkhabarov, oscd.community -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -date: 2019/10/22 -modified: 2019/11/13 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename|contains: 'lsass' - TargetFilename|endswith: 'dmp' - condition: selection -fields: - - ComputerName - - TargetFilename -falsepositives: - - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator -level: medium -status: experimental diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml deleted file mode 100644 index a69294b3..00000000 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ /dev/null @@ -1,99 +0,0 @@ -title: Suspicious Typical Malware Back Connect Ports -id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 -status: experimental -description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -author: Florian Roth -date: 2017/03/19 -tags: - - attack.command_and_control - - attack.t1043 - - attack.t1571 -logsource: - product: windows - service: sysmon - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' -detection: - selection: - EventID: 3 - Initiated: 'true' - DestinationPort: - - '4443' - - '2448' - - '8143' - - '1777' - - '1443' - - '243' - - '65535' - - '13506' - - '3360' - - '200' - - '198' - - '49180' - - '13507' - - '6625' - - '4444' - - '4438' - - '1904' - - '13505' - - '13504' - - '12102' - - '9631' - - '5445' - - '2443' - - '777' - - '13394' - - '13145' - - '12103' - - '5552' - - '3939' - - '3675' - - '666' - - '473' - - '5649' - - '4455' - - '4433' - - '1817' - - '100' - - '65520' - - '1960' - - '1515' - - '743' - - '700' - - '14154' - - '14103' - - '14102' - - '12322' - - '10101' - - '7210' - - '4040' - - '9943' - filter1: - Image: '*\Program Files*' - filter2: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' - DestinationIsIpv6: 'false' - condition: selection and not ( filter1 or filter2 ) -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml deleted file mode 100644 index 0e4c4282..00000000 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Malware Shellcode in Verclsid Target Process -id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1 -status: experimental -description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -references: - - https://twitter.com/JohnLaTwC/status/837743453039534080 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 -author: John Lambert (tech), Florian Roth (rule) -date: 2017/03/04 -logsource: - product: windows - service: sysmon - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' -detection: - selection: - EventID: 10 - TargetImage: '*\verclsid.exe' - GrantedAccess: '0x1FFFFF' - combination1: - CallTrace: '*|UNKNOWN(*VBE7.DLL*' - combination2: - SourceImage: '*\Microsoft Office\\*' - CallTrace: '*|UNKNOWN*' - condition: selection and 1 of combination* -falsepositives: - - unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml deleted file mode 100644 index a9832506..00000000 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Mimikatz In-Memory -id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e -status: experimental -description: Detects certain DLL loads when Mimikatz gets executed -references: - - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ -tags: - - attack.s0002 - - attack.t1003 - - attack.lateral_movement - - attack.credential_access - - car.2019-04-004 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.001 - - attack.t1003.006 -logsource: - product: windows - service: sysmon -date: 2017/03/13 -detection: - selector: - EventID: 7 - Image: 'C:\Windows\System32\rundll32.exe' - dllload1: - ImageLoaded: '*\vaultcli.dll' - dllload2: - ImageLoaded: '*\wlanapi.dll' - exclusion: - ImageLoaded: - - 'ntdsapi.dll' - - 'netapi32.dll' - - 'imm32.dll' - - 'samlib.dll' - - 'combase.dll' - - 'srvcli.dll' - - 'shcore.dll' - - 'ntasn1.dll' - - 'cryptdll.dll' - - 'logoncli.dll' - timeframe: 30s - condition: selector | near dllload1 and dllload2 and not exclusion -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml deleted file mode 100644 index 693cdeef..00000000 --- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Mimikatz through Windows Remote Management -id: aa35a627-33fb-4d04-a165-d33b4afca3e8 -description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. -references: - - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ -status: stable -author: Patryk Prauze - ING Tech -date: 2019/05/20 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' - SourceImage: 'C:\Windows\system32\wsmprovhost.exe' - condition: selection -tags: - - attack.credential_access - - attack.execution - - attack.t1003 - - attack.t1028 - - attack.s0005 - - attack.t1003.001 - - attack.t1021.006 -falsepositives: - - low -level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml deleted file mode 100644 index 7c88604c..00000000 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Narrator's Feedback-Hub Persistence -id: f663a6d9-9d1b-49b8-b2b1-0637914d199a -description: Detects abusing Windows 10 Narrator's Feedback-Hub -references: - - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html -tags: - - attack.persistence - - attack.t1060 - - attack.t1547.001 -author: Dmitriy Lifanov, oscd.community -status: experimental -date: 2019/10/25 -modified: 2019/11/10 -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 12 - EventType: DeleteValue - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' - selection2: - EventID: 13 - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - condition: 1 of them -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml deleted file mode 100644 index 1ea9cafc..00000000 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: New DLL Added to AppCertDlls Registry Key -id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 -status: experimental -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. -references: - - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html -tags: - - attack.persistence - - attack.t1182 - - attack.t1546.009 -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2019/11/13 -logsource: - product: windows - service: sysmon -detection: - selection: - - EventID: - - 12 # key create - - 13 # value set - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' - - EventID: 14 # key rename - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' - condition: selection -fields: - - EventID - - Image - - TargetObject - - NewName -falsepositives: - - Unkown -level: medium diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml deleted file mode 100644 index 78e61989..00000000 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ /dev/null @@ -1,37 +0,0 @@ -title: New DLL Added to AppInit_DLLs Registry Key -id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d -status: experimental -description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll -references: - - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html -tags: - - attack.persistence - - attack.t1103 - - attack.t1546.010 -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2019/11/13 -logsource: - product: windows - service: sysmon -detection: - selection: - - EventID: - - 12 # key create - - 13 # value set - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - EventID: 14 # key rename - NewName: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - condition: selection -fields: - - EventID - - Image - - TargetObject - - NewName -falsepositives: - - Unkown -level: medium diff --git a/rules/windows/sysmon/sysmon_notepad_network_connection.yml b/rules/windows/sysmon/sysmon_notepad_network_connection.yml deleted file mode 100644 index 039d397e..00000000 --- a/rules/windows/sysmon/sysmon_notepad_network_connection.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Notepad Making Network Connection -id: e81528db-fc02-45e8-8e98-4e84aba1f10b -status: experimental -description: Detects suspicious network connection by Notepad -references: - - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ -tags: - - attack.command_and_control - - attack.execution -author: EagleEye Team -logsource: - product: windows - service: sysmon -date: 2020/05/14 -detection: - selection: - EventID: 3 - Image: '*\notepad.exe' - filter: - DestinationPort: '9100' - condition: selection and not filter -falsepositives: - - None observed so far -level: high diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml deleted file mode 100644 index 89ab5297..00000000 --- a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Possible Privilege Escalation via Service Permissions Weakness -id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981 -description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ -tags: - - attack.privilege_escalation - - attack.t1058 - - attack.t1574.011 -status: experimental -author: Teymur Kheirkhabarov -date: 2019/10/26 -modified: 2019/11/11 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - IntegrityLevel: 'Medium' - TargetObject|contains: '\services\' - TargetObject|endswith: - - '\ImagePath' - - '\FailureCommand' - - '\Parameters\ServiceDll' - condition: selection -falsepositives: - - Unknown -level: high -enrichment: - - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - - EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml deleted file mode 100644 index 9d93c4c0..00000000 --- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: PowerShell Execution -id: 867613fb-fa60-4497-a017-a82df74a172c -description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml -logsource: - product: windows - service: sysmon -tags: - - attack.execution - - attack.t1086 - - attack.t1059.001 -detection: - selection: - EventID: 7 - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' - condition: selection -fields: - - ComputerName - - Image - - ProcessID - - ImageLoaded -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml deleted file mode 100644 index 60028363..00000000 --- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml +++ /dev/null @@ -1,119 +0,0 @@ -title: Malicious PowerShell Commandlet Names -id: f331aa1f-8c53-4fc3-b083-cc159bc971cb -status: experimental -description: Detects the creation of known powershell scripts for exploitation -references: - - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml -tags: - - attack.execution - - attack.t1086 - - attack.t1059.001 -author: Markus Neis -date: 2018/04/07 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' - condition: selection -falsepositives: - - Penetration Tests -level: high - diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml deleted file mode 100644 index 0dd64587..00000000 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ /dev/null @@ -1,47 +0,0 @@ -title: PowerShell Network Connections -id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -status: experimental -description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') -author: Florian Roth -date: 2017/03/13 -references: - - https://www.youtube.com/watch?v=DLtJTxMWZ2o -tags: - - attack.execution - - attack.t1086 - - attack.t1059.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - Image: '*\powershell.exe' - Initiated: 'true' - filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.0.0.1' - DestinationIsIpv6: 'false' - User: 'NT AUTHORITY\SYSTEM' - condition: selection and not filter -falsepositives: - - Administrative scripts -level: low diff --git a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml deleted file mode 100644 index 135b66b9..00000000 --- a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: QuarksPwDump Dump File -id: 847def9e-924d-4e90-b7c4-5f581395a2b4 -status: experimental -description: Detects a dump file written by QuarksPwDump password dumper -references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm -author: Florian Roth -date: 2018/02/10 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.002 -level: critical -logsource: - product: windows - service: sysmon -detection: - selection: - # Sysmon: File Creation (ID 11) - EventID: 11 - TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*' - condition: selection -falsepositives: - - Unknown - diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml deleted file mode 100644 index 5e6c02ee..00000000 --- a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: RDP Registry Modification -id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 -description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md -tags: - - attack.defense_evasion - - attack.t1112 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject|endswith: - - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' - Details: 'DWORD (0x00000000)' - condition: selection -fields: - - ComputerName - - Image - - EventType - - TargetObject -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml deleted file mode 100644 index f7979bd6..00000000 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: RDP Over Reverse SSH Tunnel -id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 -status: experimental -description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 -references: - - https://twitter.com/SBousseaden/status/1096148422984384514 -author: Samir Bousseaden -date: 2019/02/16 -tags: - - attack.defense_evasion - - attack.command_and_control - - attack.t1076 - - car.2013-07-002 - - attack.t1021 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - Image: '*\svchost.exe' - Initiated: 'true' - SourcePort: 3389 - DestinationIp: - - '127.*' - - '::1' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml b/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml deleted file mode 100644 index 4d8f534c..00000000 --- a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: RDP Sensitive Settings Changed -id: 171b67e1-74b4-460e-8d55-b331f3e32d67 -description: Detects changes to RDP terminal service sensitive settings -references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html -date: 2019/04/03 -author: Samir Bousseaden -logsource: - product: windows - service: sysmon -detection: - selection_reg: - EventID: 13 - TargetObject: - - '*\services\TermService\Parameters\ServiceDll*' - - '*\Control\Terminal Server\fSingleSessionPerUser*' - - '*\Control\Terminal Server\fDenyTSConnections*' - condition: selection_reg -tags: - - attack.defense_evasion -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml deleted file mode 100644 index e4087c05..00000000 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Windows Registry Persistence COM Key Linking -id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 -status: experimental -description: Detects COM object hijacking via TreatAs subkey -references: - - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ -author: Kutepov Anton, oscd.community -date: 2019/10/23 -modified: 2019/11/07 -tags: - - attack.persistence - - attack.t1122 - - attack.t1546.015 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 12 - EventType: 'CreateKey' # don't want DeleteKey events - TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs' - condition: selection -falsepositives: - - Maybe some system utilities in rare cases use linking keys for backward compability -level: medium diff --git a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml b/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml deleted file mode 100644 index 5d6a6e8e..00000000 --- a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Windows Registry Persistence COM Search Order Hijacking -id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 -status: experimental -description: Detects potential COM object hijacking leveraging the COM Search Order -references: - - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/04/14 -tags: - - attack.persistence - - attack.t1038 - - attack.t1574.001 -logsource: - product: windows - service: sysmon -detection: - selection: # Detect new COM servers in the user hive - EventID: 13 - TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' - filter: - Details: # Exclude privileged directories and observed FPs - - '%%systemroot%%\system32\\*' - - '%%systemroot%%\SysWow64\\*' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' - - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' - condition: selection and not filter -falsepositives: - - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level -level: medium diff --git a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml deleted file mode 100644 index 22b7bc79..00000000 --- a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Windows Registry Trust Record Modification -id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 -status: experimental -description: Alerts on trust record modification within the registry, indicating usage of macros -references: - - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html -author: Antonlovesdnb -date: 2020/02/19 -modified: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 12 - TargetObject|contains: 'TrustRecords' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: medium diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml deleted file mode 100644 index b0695d7a..00000000 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Remote PowerShell Session -id: c539afac-c12a-46ed-b1bd-5a5567c9f045 -description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account -status: experimental -date: 2019/09/12 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md -tags: - - attack.execution - - attack.t1086 - - attack.t1059.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - DestinationPort: - - 5985 - - 5986 - filter: - User: 'NT AUTHORITY\NETWORK SERVICE' - condition: selection and not filter -falsepositives: - - Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring. -level: high diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml deleted file mode 100644 index c7f6e7b9..00000000 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ /dev/null @@ -1,46 +0,0 @@ -title: Rundll32 Internet Connection -id: cdc8da7d-c303-42f8-b08c-b4ab47230263 -status: experimental -description: Detects a rundll32 that communicates with public IP addresses -references: - - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 -author: Florian Roth -date: 2017/11/04 -tags: - - attack.t1085 - - attack.defense_evasion - - attack.execution - - attack.t1218 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - Image: '*\rundll32.exe' - Initiated: 'true' - filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' - condition: selection and not filter -falsepositives: - - Communication to other corporate systems that use IP addresses from public address spaces -level: medium diff --git a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml b/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml deleted file mode 100644 index b98841db..00000000 --- a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Security Support Provider (SSP) Added to LSA Configuration -id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc -status: experimental -description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -references: - - https://attack.mitre.org/techniques/T1101/ - - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ -tags: - - attack.persistence - - attack.t1011 -author: iwillkeepwatch -date: 2019/01/18 -logsource: - product: windows - service: sysmon -detection: - selection_registry: - EventID: 13 - TargetObject: - - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' - - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' - exclusion_images: - - Image: C:\Windows\system32\msiexec.exe - - Image: C:\Windows\syswow64\MsiExec.exe - condition: selection_registry and not exclusion_images -falsepositives: - - Unlikely -level: critical diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml deleted file mode 100644 index 23ac4ef0..00000000 --- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml +++ /dev/null @@ -1,50 +0,0 @@ -action: global -title: Sticky Key Like Backdoor Usage -id: baca5663-583c-45f9-b5dc-ea96a22ce542 -description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login - screen -references: - - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1015 - - car.2014-11-003 - - car.2014-11-008 -author: Florian Roth, @twjackomo -date: 2018/03/15 -detection: - condition: 1 of them -falsepositives: - - Unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection_registry: - EventID: 13 - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - EventType: 'SetValue' ---- -logsource: - category: process_creation - product: windows -detection: - selection_process: - ParentImage: - - '*\winlogon.exe' - CommandLine: - - '*cmd.exe sethc.exe *' - - '*cmd.exe utilman.exe *' - - '*cmd.exe osk.exe *' - - '*cmd.exe Magnify.exe *' - - '*cmd.exe Narrator.exe *' - - '*cmd.exe DisplaySwitch.exe *' diff --git a/rules/windows/sysmon/sysmon_susp_adsi_cache_usage.yml b/rules/windows/sysmon/sysmon_susp_adsi_cache_usage.yml deleted file mode 100644 index e91cd537..00000000 --- a/rules/windows/sysmon/sysmon_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious ADSI-Cache Usage By Unknown Tool -id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb -description: detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -status: experimental -date: 2019/03/24 -author: xknow @xknow_infosec -references: - - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - - https://github.com/fox-it/LDAPFragger -tags: - - attack.t1041 - - attack.persistence -logsource: - product: windows - service: sysmon -detection: - selection_1: - EventID: 11 - TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch' - selection_2: - Image|contains: - - 'C:\windows\system32\svchost.exe' - - 'C:\windows\system32\dllhost.exe' - - 'C:\windows\system32\mmc.exe' - - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' - condition: selection_1 and not selection_2 -falsepositives: - - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. -level: high diff --git a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml b/rules/windows/sysmon/sysmon_susp_desktop_ini.yml deleted file mode 100644 index ec1df92c..00000000 --- a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Suspicious desktop.ini Action -id: 81315b50-6b60-4d8f-9928-3466e1022515 -status: experimental -description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/19 -tags: - - attack.persistence - - attack.t1023 - - attack.t1547.009 -logsource: - product: windows - service: sysmon -detection: - filter: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\System32\mmc.exe' - selection: - EventID: 11 - TargetFilename|endswith: '\desktop.ini' - condition: selection and not filter -falsepositives: - - Operations performed through Windows SCCM or equivalent -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_download_run_key.yml b/rules/windows/sysmon/sysmon_susp_download_run_key.yml deleted file mode 100644 index 14f5d5ca..00000000 --- a/rules/windows/sysmon/sysmon_susp_download_run_key.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious RUN Key from Download -id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be -status: experimental -description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -references: - - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ -author: Florian Roth -date: 2019/10/01 -tags: - - attack.persistence - - attack.t1060 - - attack.t1547.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - Image: - - '*\Downloads\\*' - - '*\Temporary Internet Files\Content.Outlook\\*' - - '*\Local Settings\Temporary Internet Files\\*' - TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - condition: selection -falsepositives: - - Software installers downloaded and used by users -level: high diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml deleted file mode 100644 index c353d7e9..00000000 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Suspicious Driver Load from Temp -id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 -description: Detects a driver load from a temporary directory -author: Florian Roth -date: 2017/02/12 -tags: - - attack.persistence - - attack.t1050 - - attack.t1543.003 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 6 - ImageLoaded: '*\Temp\\*' - condition: selection -falsepositives: - - there is a relevant set of false positives depending on applications in the environment -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml deleted file mode 100644 index 11a696b0..00000000 --- a/rules/windows/sysmon/sysmon_susp_image_load.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Possible Process Hollowing Image Loading -id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 -status: experimental -description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz -references: - - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -author: Markus Neis -date: 2018/01/07 -tags: - - attack.defense_evasion - - attack.t1073 - - attack.t1574.002 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\notepad.exe' - ImageLoaded: - - '*\samlib.dll' - - '*\WinSCard.dll' - condition: selection -falsepositives: - - Very likely, needs more tuning -level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml deleted file mode 100644 index f3d5acd9..00000000 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: dotNET DLL Loaded Via Office Applications -id: ff0f2b05-09db-4095-b96d-1b75ca24894a -status: experimental -description: Detects any assembly DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\assembly\\*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml deleted file mode 100644 index e76e29d5..00000000 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: CLR DLL Loaded Via Office Applications -id: d13c43f0-f66b-4279-8b2c-5912077c1780 -status: experimental -description: Detects CLR DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\clr.dll*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml deleted file mode 100644 index 670a5552..00000000 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: GAC DLL Loaded Via Office Applications -id: 90217a70-13fc-48e4-b3db-0d836c5824ac -status: experimental -description: Detects any GAC DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml deleted file mode 100644 index 24afa4ca..00000000 --- a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Active Directory Parsing DLL Loaded Via Office Applications -id: a2a3b925-7bb0-433b-b508-db9003263cc4 -status: experimental -description: Detects DSParse DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\dsparse.dll*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml deleted file mode 100644 index d55fe994..00000000 --- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Active Directory Kerberos DLL Loaded Via Office Applications -id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 -status: experimental -description: Detects Kerberos DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\kerberos.dll' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml deleted file mode 100644 index 25ee0df7..00000000 --- a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Suspicious PROCEXP152.sys File Created In TMP -id: 3da70954-0f2c-4103-adff-b7440368f50e -description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. -status: experimental -date: 2019/04/08 -author: xknow (@xknow_infosec), xorxes (@xor_xes) -references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -tags: - - attack.t1089 - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: sysmon -detection: - selection_1: - EventID: 11 - TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' - selection_2: - Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - condition: selection_1 and not selection_2 -falsepositives: - - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml deleted file mode 100644 index c80ca7cb..00000000 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious Program Location with Network Connections -id: 7b434893-c57d-4f41-908d-6a17bf1ae98f -status: experimental -description: Detects programs with network connections running in suspicious files system locations -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -author: Florian Roth -date: 2017/03/19 -logsource: - product: windows - service: sysmon - definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' -detection: - selection: - EventID: 3 - Image: - # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - '*\Users\Contacts\\*' - - '*\Users\Searches\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml deleted file mode 100644 index 327b8446..00000000 --- a/rules/windows/sysmon/sysmon_susp_rdp.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Suspicious Outbound RDP Connections -id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 -status: experimental -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -references: - - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 -author: Markus Neis - Swisscom -date: 2019/05/15 -tags: - - attack.lateral_movement - - attack.t1210 - - car.2013-07-002 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - DestinationPort: 3389 - Initiated: 'true' - filter: - Image: - - '*\mstsc.exe' - - '*\RTSApp.exe' - - '*\RTS2App.exe' - - '*\RDCMan.exe' - - '*\ws_TunnelService.exe' - - '*\RSSensor.exe' - - '*\RemoteDesktopManagerFree.exe' - - '*\RemoteDesktopManager.exe' - - '*\RemoteDesktopManager64.exe' - - '*\mRemoteNG.exe' - - '*\mRemote.exe' - - '*\Terminals.exe' - - '*\spiceworks-finder.exe' - - '*\FSDiscovery.exe' - - '*\FSAssessment.exe' - - '*\MobaRTE.exe' - - '*\chrome.exe' - - '*\thor.exe' - - '*\thor64.exe' - condition: selection and not filter -falsepositives: - - Other Remote Desktop RDP tools -level: high diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml deleted file mode 100644 index 0dc20e16..00000000 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Registry Persistence via Explorer Run Key -id: b7916c2a-fa2f-4795-9477-32b731f70f11 -status: experimental -description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -author: Florian Roth -date: 2018/07/18 -references: - - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details: - - 'C:\Windows\Temp\\*' - - 'C:\ProgramData\\*' - - '*\AppData\\*' - - 'C:\$Recycle.bin\\*' - - 'C:\Temp\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' - condition: selection -tags: - - attack.persistence - - attack.t1060 - - capec.270 - - attack.t1547.001 -fields: - - Image - - ParentImage -falsepositives: - - Unknown -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml deleted file mode 100644 index 7798f552..00000000 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: New RUN Key Pointing to Suspicious Folder -id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 -status: experimental -description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder -references: - - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html -author: Florian Roth, Markus Neis, Sander Wiebing -tags: - - attack.persistence - - attack.t1060 - - attack.t1547.001 -date: 2018/08/25 -modified: 2020/05/24 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' - Details: - - '*C:\Windows\Temp\\*' - - '*C:\$Recycle.bin\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - 'wscript*' - - 'cscript*' - condition: selection -fields: - - Image -falsepositives: - - Software using weird folders for updates -level: high diff --git a/rules/windows/sysmon/sysmon_susp_service_installed.yml b/rules/windows/sysmon/sysmon_susp_service_installed.yml deleted file mode 100644 index c15a8c94..00000000 --- a/rules/windows/sysmon/sysmon_susp_service_installed.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Suspicious Service Installed -id: f2485272-a156-4773-82d7-1d178bc4905b -description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) -status: experimental -date: 2019/04/08 -author: xknow (@xknow_infosec), xorxes (@xor_xes) -references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -tags: - - attack.t1089 - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - service: sysmon -detection: - selection_1: - EventID: 13 - TargetObject: - - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' - selection_2: - Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - selection_3: - Details|contains: - - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS' - condition: selection_1 and not selection_2 and not selection_3 -falsepositives: - - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml deleted file mode 100644 index 1006e845..00000000 --- a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: VBA DLL Loaded Via Microsoft Word -id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -status: experimental -description: Detects DLL's Loaded Via Word Containing VBA Macros -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 - - attack.t1566.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\VBE7.DLL' - - '*\VBEUI.DLL' - - '*\VBE7INTL.DLL' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high diff --git a/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml deleted file mode 100644 index 38914687..00000000 --- a/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word -id: a457f232-7df9-491d-898f-b5aabd2cbe2f -status: experimental -description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 - - https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/ - - https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf -author: Michael R. (@nahamike01) -date: 2019/12/26 -tags: - - attack.execution - - attack.t1047 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\wbemdisp.dll' - - '*\wbemsvc.dll' - condition: selection -falsepositives: - - Possible. Requires further testing. -level: high diff --git a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml deleted file mode 100644 index 09cb9dfb..00000000 --- a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ /dev/null @@ -1,64 +0,0 @@ -title: Load of dbghelp/dbgcore DLL from Suspicious Process -id: 0e277796-5f23-4e49-a490-483131d4f6e1 -status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -date: 2019/10/27 -modified: 2020/05/23 -author: Perez Diego (@darkquassar), oscd.community, Ecco -references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -logsource: - product: windows - service: sysmon -detection: - signedprocess: - EventID: 7 - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' - - '\svchost.exe' - - '\rundll32.exe' - - '\powershell.exe' - - '\word.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\schtasks.exe' - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - unsignedprocess: - EventID: 7 - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Signed: "FALSE" - filter: - Image|contains: 'Visual Studio' - condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) -fields: - - ComputerName - - User - - Image - - ImageLoaded -falsepositives: - - Penetration tests -level: high diff --git a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml deleted file mode 100644 index 0016d157..00000000 --- a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Suspicious Keyboard Layout Load -id: 34aa0252-6039-40ff-951f-939fd6ce47d8 -description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems - maintained by US staff only -references: - - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files -author: Florian Roth -date: 2019/10/12 -modified: 2019/10/15 -logsource: - product: windows - service: sysmon - definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' -detection: - selection_registry: - EventID: 13 - TargetObject: - - '*\Keyboard Layout\Preload\\*' - - '*\Keyboard Layout\Substitutes\\*' - Details|contains: - - 00000429 # Persian (Iran) - - 00050429 # Persian (Iran) - - 0000042a # Vietnamese - condition: selection_registry -falsepositives: - - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" -level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index 3b1fd52b..00000000 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Suspicious Outbound Kerberos Connection -id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 -status: experimental -description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -references: - - https://github.com/GhostPack/Rubeus8 -author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -modified: 2019/11/13 -tags: - - attack.lateral_movement - - attack.t1208 - - attack.t1558.003 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - DestinationPort: 88 - Initiated: 'true' - filter: - Image|endswith: - - '\lsass.exe' - - '\opera.exe' - - '\chrome.exe' - - '\firefox.exe' - condition: selection and not filter -falsepositives: - - Other browsers -level: high diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml deleted file mode 100644 index 1773855c..00000000 --- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Svchost DLL Search Order Hijack -id: 602a1f13-c640-4d73-b053-be9a2fa58b77 -status: experimental -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. -references: - - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -author: SBousseaden -date: 2019/10/28 -tags: - - attack.persistence - - attack.defense_evasion - - attack.t1073 - - attack.t1038 - - attack.t1112 - - attack.t1574.002 - - attack.t1574.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\svchost.exe' - ImageLoaded: - - '*\tsmsisrv.dll' - - '*\tsvipsrv.dll' - - '*\wlbsctrl.dll' - filter: - ImageLoaded: - - 'C:\Windows\WinSxS\\*' - condition: selection and not filter -falsepositives: - - Pentest -level: high diff --git a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml b/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml deleted file mode 100644 index 9b601372..00000000 --- a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml +++ /dev/null @@ -1,30 +0,0 @@ -action: global -title: Usage of Sysinternals Tools -id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 -status: experimental -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry -references: - - https://twitter.com/Moti_B/status/1008587936735035392 -date: 2017/08/28 -author: Markus Neis -detection: - condition: 1 of them -falsepositives: - - Legitimate use of SysInternals tools - - Programs that use the same Registry Key -level: low ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 13 - TargetObject: '*\EulaAccepted' ---- -logsource: - category: process_creation - product: windows -detection: - selection2: - CommandLine: '* -accepteula*' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml deleted file mode 100644 index efb359ac..00000000 --- a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: Hijack Legit RDP Session to Move Laterally -id: 52753ea4-b3a0-4365-910d-36cff487b789 -status: experimental -description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder -date: 2019/02/21 -author: Samir Bousseaden -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - Image: '*\mstsc.exe' - TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml deleted file mode 100644 index ded431bf..00000000 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: UAC Bypass via Event Viewer -id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 -status: experimental -description: Detects UAC bypass method using Windows event viewer -references: - - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 -author: Florian Roth -date: 2017/03/19 -logsource: - product: windows - service: sysmon -detection: - methregistry: - EventID: 13 - TargetObject: 'HKU\\*\mscfile\shell\open\command' - methprocess: - EventID: 1 # Migration to process_creation requires multipart YAML - ParentImage: '*\eventvwr.exe' - filterprocess: - Image: '*\mmc.exe' - condition: methregistry or ( methprocess and not filterprocess ) -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 - - car.2019-04-001 - - attack.t1548.002 -falsepositives: - - unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml deleted file mode 100644 index 2e8f8c36..00000000 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: UAC Bypass via Sdclt -id: 5b872a46-3b90-45c1-8419-f675db8053aa -status: experimental -description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -references: - - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -author: Omer Yampel -date: 2017/03/17 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - # usrclass.dat is mounted on HKU\USERSID_Classes\... - TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand' - condition: selection -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1088 - - car.2019-04-001 - - attack.t1548.002 -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml deleted file mode 100644 index cba4a5e0..00000000 --- a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Unsigned Image Loaded Into LSASS Process -id: 857c8db3-c89b-42fb-882b-f681c7cf4da2 -description: Loading unsigned image (DLL, EXE) into LSASS process -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2019/11/13 -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image|endswith: '\lsass.exe' - Signed: 'false' - condition: selection -falsepositives: - - Valid user connecting using RDP -status: experimental -level: medium diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml deleted file mode 100644 index 64a99889..00000000 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Windows Webshell Creation -id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 -status: experimental -description: Possible webshell file creation on a static web site -references: - - PT ESC rule and personal experience -author: Beyu Denis, oscd.community -date: 2019/10/22 -modified: 2020/05/18 -tags: - - attack.persistence - - attack.t1100 - - attack.t1505.003 -level: critical -logsource: - product: windows - service: sysmon -detection: - selection_1: - EventID: 11 - selection_2: - TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: - TargetFilename|contains: - - '.asp' - - '.ashx' - - '.ph' - selection_4: - TargetFilename|contains: - - '\www\' - - '\htdocs\' - - '\html\' - selection_5: - TargetFilename|contains: '.ph' - selection_6: - - TargetFilename|endswith: '.jsp' - - TargetFilename|contains|all: - - '\cgi-bin\' - - '.pl' - false_positives: # false positives when unpacking some executables in $TEMP - TargetFilename|contains: - - '\AppData\Local\Temp\' - - '\Windows\Temp\' - # kind of ugly but sigmac seems not to handle double parenthesis "((" - # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) - condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives) -falsepositives: - - Legitimate administrator or developer creating legitimate executable files in a web application folder diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml deleted file mode 100644 index 0f6cd497..00000000 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Microsoft Binary Github Communication -id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 -status: experimental -description: Detects an executable in the Windows folder accessing github.com -references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 -author: Michael Haag (idea), Florian Roth (rule) -date: 2017/08/24 -tags: - - attack.lateral_movement - - attack.t1105 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - Initiated: 'true' - DestinationHostname: - - '*.github.com' - - '*.githubusercontent.com' - Image: 'C:\Windows\\*' - condition: selection -falsepositives: - - 'Unknown' - - '@subTee in your network' -level: high diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml deleted file mode 100644 index 3bcf4704..00000000 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Microsoft Binary Suspicious Communication Endpoint -id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 -status: experimental -description: Detects an executable in the Windows folder accessing suspicious domains -references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 -author: Florian Roth -date: 2018/08/30 -tags: - - attack.lateral_movement - - attack.t1105 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - Initiated: 'true' - DestinationHostname: - - '*dl.dropboxusercontent.com' - - '*.pastebin.com' - - '*.githubusercontent.com' # includes both gists and github repositories - Image: 'C:\Windows\\*' - condition: selection -falsepositives: - - 'Unknown' -level: high - diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml deleted file mode 100644 index a2d5512c..00000000 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Registry Persistence Mechanisms -id: 36803969-5421-41ec-b92f-8500f79c23b0 -description: Detects persistence registry keys -references: - - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ -date: 2018/04/11 -author: Karneades -logsource: - product: windows - service: sysmon -detection: - selection_reg1: - EventID: 13 - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' - EventType: SetValue - condition: selection_reg1 -tags: - - attack.privilege_escalation - - attack.persistence - - attack.defense_evasion - - attack.t1183 - - car.2013-01-002 - - attack.t1546.012 -falsepositives: - - unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml deleted file mode 100644 index bee87eee..00000000 --- a/rules/windows/sysmon/sysmon_wmi_module_load.yml +++ /dev/null @@ -1,49 +0,0 @@ -title: WMI Modules Loaded -id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -description: Detects non wmiprvse loading WMI modules -status: experimental -date: 2019/08/10 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md -tags: - - attack.execution - - attack.t1047 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - ImageLoaded|endswith: - - '\wmiclnt.dll' - - '\WmiApRpl.dll' - - '\wmiprov.dll' - - '\wmiutils.dll' - - '\wbemcomn.dll' - - '\wbemprox.dll' - - '\WMINet_Utils.dll' - - '\wbemsvc.dll' - - '\fastprox.dll' - filter: - Image|endswith: - - '\WmiPrvSe.exe' - - '\WmiAPsrv.exe' - - '\svchost.exe' - - '\DeviceCensus.exe' - - '\CompatTelRunner.exe' - - '\sdiagnhost.exe' - - '\SIHClient.exe' - - '\msfeedssync.exe' - - '\mmc.exe' - - '\MoUsoCoreWorker.exe' # in system32, seen on a win10 pro 2004 machine - condition: selection and not filter -fields: - - ComputerName - - User - - Image - - ImageLoaded -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml deleted file mode 100644 index 52672a95..00000000 --- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: WMI Persistence - Command Line Event Consumer -id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 -status: experimental -description: Detects WMI command line event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Thomas Patzke -date: 2018/03/07 -tags: - - attack.t1084 - - attack.persistence - - attack.t1546.003 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' - ImageLoaded|endswith: '\wbemcons.dll' - condition: selection -falsepositives: - - Unknown (data set is too small; further testing needed) -level: high diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml deleted file mode 100644 index 7095ec85..00000000 --- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: WMI Persistence - Script Event Consumer File Write -id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 -status: experimental -description: Detects file writes of WMI script event consumer -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Thomas Patzke -date: 2018/03/07 -tags: - - attack.t1084 - - attack.persistence - - attack.t1546.003 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - condition: selection -falsepositives: - - Unknown (data set is too small; further testing needed) -level: high From 9c0f9f398f69c98ea49fd1f7e9ad93ab6ae4ef23 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 10:58:39 +0200 Subject: [PATCH 2/2] refactor: sysmon rule cleanup > generlization --- .../file_event/sysmon_office_persistence.yml | 30 +++++++++++++++++ .../image_load/sysmon_susp_fax_dll.yml | 33 +++++++++++++++++++ .../sysmon_regsvr32_network_activity.yml | 7 ++-- .../sysmon_apt_muddywater_dnstunnel.yml | 0 .../process_creation/sysmon_hack_wce.yml | 27 +++++++++++++++ ...n_scripts_userinitmprlogonscript_proc.yml} | 32 ++++-------------- .../sysmon_cve-2020-1048.yml | 7 ++-- .../sysmon_etw_disabled.yml | 3 +- .../registry_event/sysmon_hack_wce.yml | 21 ++---------- ...gon_scripts_userinitmprlogonscript_reg.yml | 25 ++++++++++++++ .../sysmon_reg_office_security.yml | 19 +++++------ .../sysmon_susp_lsass_dll_load.yml | 6 ++-- .../sysmon_susp_mic_cam_access.yml | 3 +- .../sysmon/sysmon_office_persistence.yml | 32 ------------------ rules/windows/sysmon/sysmon_susp_fax_dll.yml | 33 ------------------- tools/config/generic/sysmon.yml | 4 ++- 16 files changed, 144 insertions(+), 138 deletions(-) create mode 100644 rules/windows/file_event/sysmon_office_persistence.yml create mode 100644 rules/windows/image_load/sysmon_susp_fax_dll.yml rename rules/windows/{sysmon => network_connection}/sysmon_regsvr32_network_activity.yml (90%) rename rules/windows/{sysmon => process_creation}/sysmon_apt_muddywater_dnstunnel.yml (100%) create mode 100644 rules/windows/process_creation/sysmon_hack_wce.yml rename rules/windows/{sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml => process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml} (62%) rename rules/windows/{sysmon => registry_event}/sysmon_cve-2020-1048.yml (90%) rename rules/windows/{sysmon => registry_event}/sysmon_etw_disabled.yml (96%) create mode 100644 rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml rename rules/windows/{sysmon => registry_event}/sysmon_reg_office_security.yml (79%) rename rules/windows/{sysmon => registry_event}/sysmon_susp_lsass_dll_load.yml (90%) rename rules/windows/{sysmon => registry_event}/sysmon_susp_mic_cam_access.yml (95%) delete mode 100644 rules/windows/sysmon/sysmon_office_persistence.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_fax_dll.yml diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml new file mode 100644 index 00000000..d8ced8d0 --- /dev/null +++ b/rules/windows/file_event/sysmon_office_persistence.yml @@ -0,0 +1,30 @@ +title: Microsoft Office Add-In Loading +id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 +status: experimental +description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). +references: + - Internal Research +tags: + - attack.persistence + - attack.t1137 +author: NVISO +date: 2020/05/11 +logsource: + category: file_event + product: windows +detection: + wlldropped: + TargetFilename|contains: \Microsoft\Word\Startup\ + TargetFilename|endswith: .wll + xlldropped: + TargetFilename|contains: \Microsoft\Excel\Startup\ + TargetFilename|endswith: .xll + generic: + TargetFilename|contains: \Microsoft\Addins\ + TargetFilename|endswith: + - .xlam + - .xla + condition: (wlldropped or xlldropped or generic) +falsepositives: + - Legitimate add-ins +level: high diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml new file mode 100644 index 00000000..0b1f247d --- /dev/null +++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml @@ -0,0 +1,33 @@ +title: Fax Service DLL Search Order Hijack +id: 828af599-4c53-4ed2-ba4a-a9f835c434ea +status: experimental +description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. +references: + - https://windows-internals.com/faxing-your-way-to-system/ +author: NVISO +date: 2020/05/04 +modified: 2020/07/01 +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1073 + - attack.t1038 + - attack.t1112 + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - fxssvc.exe + ImageLoaded|endswith: + - ualapi.dll + filter: + ImageLoaded|startswith: + - C:\Windows\WinSxS\ + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml similarity index 90% rename from rules/windows/sysmon/sysmon_regsvr32_network_activity.yml rename to rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index 71c7903c..127a7172 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -13,15 +13,12 @@ tags: author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 -modified: 2019/11/10 +modified: 2020/07/01 logsource: + category: network_connection product: windows - service: sysmon detection: selection: - EventID: - - 3 - - 22 Image|endswith: '\regsvr32.exe' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml similarity index 100% rename from rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml rename to rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml new file mode 100644 index 00000000..1c8a2234 --- /dev/null +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -0,0 +1,27 @@ +title: Windows Credential Editor +id: 7aa7009a-28b9-4344-8c1f-159489a390df +description: Detects the use of Windows Credential Editor (WCE) +author: Florian Roth +references: + - https://www.ampliasecurity.com/research/windows-credentials-editor/ +date: 2019/12/31 +modified: 2020/07/01 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +logsource: + category: process_creation + product: windows +detection: + selection1: + Imphash: + - a53a02b997935fd8eedcb5f7abab9b9f + - e96a73c7bf33a464c510ede582318bf2 + selection2: + CommandLine|endswith: '.exe -S' + ParentImage|endswith: '\services.exe' + condition: 1 of them +falsepositives: + - 'Another service that uses a single -s command line switch' +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml similarity index 62% rename from rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml rename to rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index e2577373..f1ec0c66 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -1,4 +1,3 @@ -action: global title: Logon Scripts (UserInitMprLogonScript) id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 status: experimental @@ -12,11 +11,7 @@ tags: - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 -falsepositives: - - exclude legitimate logon scripts - - penetration tests, red teaming -level: high ---- +modified: 2020/07/01 logsource: category: process_creation product: windows @@ -29,25 +24,10 @@ detection: CommandLine|contains: - 'netlogon.bat' - 'UsrLogon.cmd' - condition: exec_selection and not exec_exclusion1 and not exec_exclusion2 ---- -logsource: - category: process_creation - product: windows -detection: create_keywords_cli: CommandLine: '*UserInitMprLogonScript*' - condition: create_keywords_cli ---- -logsource: - product: windows - service: sysmon -detection: - create_selection_reg: - EventID: - - 12 - - 13 - - 14 - create_keywords_reg: - TargetObject: '*UserInitMprLogonScript*' - condition: create_selection_reg and create_keywords_reg + condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli +falsepositives: + - exclude legitimate logon scripts + - penetration tests, red teaming +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml similarity index 90% rename from rules/windows/sysmon/sysmon_cve-2020-1048.yml rename to rules/windows/registry_event/sysmon_cve-2020-1048.yml index 9c671ad3..59f79bc3 100644 --- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml +++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml @@ -11,13 +11,10 @@ tags: - attack.persistence - attack.execution logsource: - service: sysmon product: windows + category: registry_event detection: - selection: - EventID: - - 12 - - 13 + selection: TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' EventType: - SetValue diff --git a/rules/windows/sysmon/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml similarity index 96% rename from rules/windows/sysmon/sysmon_etw_disabled.yml rename to rules/windows/registry_event/sysmon_etw_disabled.yml index 66d27435..03e3bbd4 100644 --- a/rules/windows/sysmon/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -19,10 +19,9 @@ tags: - attack.t1112 logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry_event/sysmon_hack_wce.yml b/rules/windows/registry_event/sysmon_hack_wce.yml index 92483bee..d6c1e456 100755 --- a/rules/windows/registry_event/sysmon_hack_wce.yml +++ b/rules/windows/registry_event/sysmon_hack_wce.yml @@ -1,4 +1,3 @@ -action: global title: Windows Credential Editor id: 7aa7009a-28b9-4344-8c1f-159489a390df description: Detects the use of Windows Credential Editor (WCE) @@ -10,23 +9,6 @@ tags: - attack.credential_access - attack.t1003 - attack.s0005 -falsepositives: - - 'Another service that uses a single -s command line switch' -level: critical ---- -logsource: - category: process_creation - product: windows -detection: - selection1: - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - selection2: - CommandLine|endswith: '.exe -S' - ParentImage|endswith: '\services.exe' - condition: 1 of them ---- logsource: category: registry_event product: windows @@ -34,3 +16,6 @@ detection: selection: TargetObject|contains: Services\WCESERVICE\Start condition: selection +falsepositives: + - 'Another service that uses a single -s command line switch' +level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml new file mode 100644 index 00000000..96b5912e --- /dev/null +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -0,0 +1,25 @@ +title: Logon Scripts (UserInitMprLogonScript) +id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 +status: experimental +description: Detects creation or execution of UserInitMprLogonScript persistence method +references: + - https://attack.mitre.org/techniques/T1037/ +tags: + - attack.t1037 + - attack.t1037.001 + - attack.persistence + - attack.lateral_movement +author: Tom Ueltschi (@c_APT_ure) +date: 2019/01/12 +modified: 2020/07/01 +logsource: + category: registry_event + product: windows +detection: + create_keywords_reg: + TargetObject: '*UserInitMprLogonScript*' + condition: create_keywords_reg +falsepositives: + - exclude legitimate logon scripts + - penetration tests, red teaming +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml similarity index 79% rename from rules/windows/sysmon/sysmon_reg_office_security.yml rename to rules/windows/registry_event/sysmon_reg_office_security.yml index 31fa9e19..8e538be8 100644 --- a/rules/windows/sysmon/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -4,27 +4,26 @@ status: experimental description: Detects registry changes to Office macro settings author: Trent Liffick (@tliffick) date: 2020/05/22 +modified: 2020/07/01 references: + - Internal Research tags: - attack.defense_evasion - attack.t1112 -falsepositives: - - Valid Macros and/or internal documents -level: high logsource: - service: sysmon - product: windows + category: registry_event + product: windows detection: sec_settings: - EventID: - - 12 - - 13 - TargetObject|endswith: + TargetObject|endswith: - '*\Security\Trusted Documents\TrustRecords' - '*\Security\AccessVBOM' - '*\Security\VBAWarnings' - EventType: + EventType: - SetValue - DeleteValue - CreateValue condition: sec_settings +falsepositives: + - Valid Macros and/or internal documents +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml similarity index 90% rename from rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml rename to rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index 44a1020d..b9358ced 100644 --- a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -4,17 +4,15 @@ status: experimental description: Detects a method to load DLL via LSASS process using an undocumented Registry key author: Florian Roth date: 2019/10/16 +modified: 2020/07/01 references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 logsource: + category: registry_event product: windows - service: sysmon detection: selection: - EventID: - - 12 - - 13 TargetObject: - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' diff --git a/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml similarity index 95% rename from rules/windows/sysmon/sysmon_susp_mic_cam_access.yml rename to rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index ad3c2937..66d0e60a 100644 --- a/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -10,11 +10,10 @@ tags: - attack.t1125 - attack.t1123 logsource: - category: sysmon + category: registry_event product: windows detection: selection_1: - EventId: 13 TargetObject|contains: - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged selection_2: diff --git a/rules/windows/sysmon/sysmon_office_persistence.yml b/rules/windows/sysmon/sysmon_office_persistence.yml deleted file mode 100644 index 813929a0..00000000 --- a/rules/windows/sysmon/sysmon_office_persistence.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Microsoft Office Add-In Loading -id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 -status: experimental -description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). -references: - - Internal research -tags: - - attack.persistence - - attack.t1137 -author: NVISO -date: 2020/05/11 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 #FileCreate - wlldropped: - TargetFilename|contains: \Microsoft\Word\Startup\ - TargetFilename|endswith: .wll - xlldropped: - TargetFilename|contains: \Microsoft\Excel\Startup\ - TargetFilename|endswith: .xll - generic: - TargetFilename|contains: \Microsoft\Addins\ - TargetFilename|endswith: - - .xlam - - .xla - condition: selection and (wlldropped or xlldropped or generic) -falsepositives: - - Legitimate add-ins -level: high diff --git a/rules/windows/sysmon/sysmon_susp_fax_dll.yml b/rules/windows/sysmon/sysmon_susp_fax_dll.yml deleted file mode 100644 index 14b91c1a..00000000 --- a/rules/windows/sysmon/sysmon_susp_fax_dll.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Fax Service DLL Search Order Hijack -id: 828af599-4c53-4ed2-ba4a-a9f835c434ea -status: experimental -description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -references: - - https://windows-internals.com/faxing-your-way-to-system/ -author: NVISO -date: 2020/05/04 -tags: - - attack.persistence - - attack.defense_evasion - - attack.t1073 - - attack.t1038 - - attack.t1112 - - attack.t1574.001 - - attack.t1574.002 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 #ImageLoaded - Image|endswith: - - fxssvc.exe - ImageLoaded|endswith: - - ualapi.dll - filter: - ImageLoaded|startswith: - - C:\Windows\WinSxS\ - condition: selection and not filter -falsepositives: - - Unlikely -level: high diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 0d97f379..963731c9 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -13,7 +13,9 @@ logsources: category: network_connection product: windows conditions: - EventID: 3 + EventID: + - 3 + - 22 rewrite: product: windows service: sysmon