diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml new file mode 100644 index 00000000..e92ac057 --- /dev/null +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -0,0 +1,23 @@ +title: LSASS Access Detected via Attack Surface Reduction +description: Detects Access to LSASS Process +status: experimental +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter +author: Markus Neis +date: 2018/08/26 +tags: + - attack.credential_access + - attack.t1003 +# Defender Attack Surface Reduction +logsource: + product: windows_defender + description: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' +detection: + selection: + EventID: 1121 + Path: '*\lsass.exe' + condition: selection +falsepositives: + - Google Chrome GoogleUpdate.exe + - Some Taskmgr.exe related activity +level: high diff --git a/rules/windows/sysmon/sysmon_lethalhta.yml b/rules/windows/sysmon/sysmon_lethalhta.yml new file mode 100644 index 00000000..5669721a --- /dev/null +++ b/rules/windows/sysmon/sysmon_lethalhta.yml @@ -0,0 +1,19 @@ +title: MSHTA spwaned by SVCHOST as seen in LethalHTA +status: experimental +description: Detects MSHTA.EXE spwaned by SVCHOST described in report +references: + - https://codewhitesec.blogspot.com/2018/07/lethalhta.html +author: Markus Neis +date: 2018/06/07 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + ParentImage: '*\svchost.exe' + Image: '*\mshta.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml b/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml new file mode 100644 index 00000000..9803e1b0 --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml @@ -0,0 +1,24 @@ +title: Powershell AMSI Bypass via .NET Reflection +status: experimental +description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning +references: + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 +author: Markus Neis +date: 2018/08/17 +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + CommandLine: + - '*System.Management.Automation.AmsiUtils*' + selection2: + CommandLine: + - '*amsiInitFailed*' + condition: selection1 and selection2 + falsepositives: + - Potential Admin Activity +level: high + diff --git a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml b/rules/windows/sysmon/sysmon_powershell_dll_execution.yml new file mode 100644 index 00000000..940c75a4 --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_dll_execution.yml @@ -0,0 +1,31 @@ +title: Detection of PowerShell Execution via DLL +status: experimental +description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll +references: + - https://github.com/p3nt4/PowerShdll/blob/master/README.md +tags: + - attack.execution + - attack.t1086 +author: Markus Neis +date: 2018/08/25 +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + Image: + - '*\rundll32.exe' + selection2: + EventID: 1 + Description: + - '*Windows-Hostprozess (Rundll32)*' + selection3: + EventID: 1 + CommandLine: + - '*Default.GetString*' + - '*FromBase64String*' + condition: (selection1 or selection2) and selection3 +falsepositives: + - Unknown +level: high