From 47bd41f0125a82972319d51d04cf6c88da46ed02 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 05:55:12 -0500 Subject: [PATCH 001/127] revert commented line --- tools/sigma/backends/elasticsearch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a0c80dae..6c4a9537 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -216,7 +216,7 @@ class ElasticsearchWildcardHandlingMixin(object): """ if value and not value == 'null' and not re.match(r'^/.*/$', value) and (re.search('[a-zA-Z]', value) and not re.match(self.uuid_regex, value) or self.containsWildcard(value)): # re.search for alpha is fastest: # Turn single ending '\\' into non escaped (ie: '\\*') - #value = re.sub( r"((?\\*", value ) + value = re.sub( r"((?\\*", value ) # Make upper/lower value = re.sub( r"[A-Za-z]", lambda x: "[" + x.group( 0 ).upper() + x.group( 0 ).lower() + "]", value ) # Turn `.` into wildcard, only if odd number of '\'(because this would mean already escaped) From caf65869285accb34807cb598850bf58f16a8f7b Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 06:49:57 -0500 Subject: [PATCH 002/127] Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match Signed-off-by: Nate Guagenti --- tools/sigma/backends/elasticsearch.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 6c4a9537..1c8ab23b 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -269,8 +269,11 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca if make_ci.get('is_regex'): # Determine if still should be a regex result = "/%s/" % result # Regex place holders for regex return result - else: - return "\"%s\"" % result + else: # If analyzed field contains wildcard then do NOT quote otherwise things such as '*' get treated as an exact match + if self.containsWildcard(result): + return result + else: + return "\"%s\"" % result def generateNOTNode(self, node): expression = super().generateNode(node.item) From 36656c3facb2f149cb5ed30e5a06cf27c49d81cf Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 18 Jan 2021 07:01:50 -0500 Subject: [PATCH 003/127] Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match Signed-off-by: Nate Guagenti --- tools/sigma/backends/elasticsearch.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1c8ab23b..a5b6f3f2 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -421,8 +421,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(v)) + if self.containsWildcard(str(v)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(v))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(v)) res['bool']['should'].append({queryType: {key_mapped: value_cleaned}}) return res elif value is None: @@ -442,8 +446,12 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast queryType = 'wildcard' value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) else: - queryType = 'match_phrase' - value_cleaned = self.cleanValue(str(value)) + if self.containsWildcard(str(value)): + queryType = 'wildcard' + value_cleaned = self.escapeSlashes(self.cleanValue(str(value))) + else: + queryType = 'match_phrase' + value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} elif isinstance(value, SigmaRegularExpressionModifier): key_mapped = self.fieldNameMapping(key, value) From f9997ace537eb1d51f83c37431fc2368ccb1afb2 Mon Sep 17 00:00:00 2001 From: matsto Date: Thu, 15 Jul 2021 16:58:09 +0200 Subject: [PATCH 004/127] Fixed transformation modifier for keywords --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 15b527e7..6e240550 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -23,7 +23,7 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - Message|contains: + Message|contains|all: - 'MsMpEng.exe' - 'mpengine.dll' condition: 1 of selection* and keywords From 93be8471ecb45978d98ba621f1a80c27ca686068 Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 15:58:21 -0400 Subject: [PATCH 005/127] Fix tactics/techniques in ALA backend --- tools/sigma/backends/ala.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index c053004e..73683157 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -361,6 +361,8 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): for technique in self.techniques: if key_id == technique.get("technique_id", ""): yield technique + if "." in key_id and key_id.split(".")[0] == technique.get("technique_id", ""): + yield technique def _load_mitre_file(self, mitre_type): try: @@ -383,7 +385,10 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): local_storage_techniques = {item["technique_id"]: item for item in self.find_technique(src_technics)} for key_id in src_technics: - src_tactic = local_storage_techniques.get(key_id, {}).get("tactic") + if "." in key_id: + src_tactic = local_storage_techniques.get(key_id.split(".")[0], {}).get("tactic") + else: + src_tactic = local_storage_techniques.get(key_id, {}).get("tactic") if not src_tactic: continue src_tactic = set(src_tactic) From 829117ca7fb92923730bec711e9f4a1cd965fd98 Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 16:00:08 -0400 Subject: [PATCH 006/127] Allow ints as values in ALA backend Without this, LogonType set as an int caused sigmac to abort the rule. --- tools/sigma/backends/ala.py | 2 ++ tools/sigma/backends/mixins.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index 73683157..cc281039 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -106,6 +106,8 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): return parse_arg def default_value_mapping(self, val): + if isinstance(val, int): + return "== %d" % (val) op = "==" if isinstance(val, str): if "*" in val[1:-1]: # value contains * inside string - use regex match diff --git a/tools/sigma/backends/mixins.py b/tools/sigma/backends/mixins.py index a835be99..ecdddca7 100644 --- a/tools/sigma/backends/mixins.py +++ b/tools/sigma/backends/mixins.py @@ -27,6 +27,8 @@ class QuoteCharMixin: reClear = None # match characters that are cleaned out completely def cleanValue(self, val): + if type(val) == int: + return val if self.reEscape: val = self.reEscape.sub(self.escapeSubst, val) if self.reClear: From 294bb432d0f2cb9b915247ddea47c8a7d51d2e0a Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 24 Aug 2021 16:01:23 -0400 Subject: [PATCH 007/127] Add Azure Sentinel backend The web interface expects ARM templates. --- tools/config/ala.yml | 1 + tools/sigma/backends/ala.py | 97 +++++++++++++++++++++++++++++++++++-- 2 files changed, 95 insertions(+), 3 deletions(-) diff --git a/tools/config/ala.yml b/tools/config/ala.yml index 1f4dd8ff..e9110fc7 100644 --- a/tools/config/ala.yml +++ b/tools/config/ala.yml @@ -3,6 +3,7 @@ order: 20 backends: - ala - ala-rule + - sentinel-rule fieldmappings: ComputerName: Computer Event-ID: EventID diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index cc281039..ef90618c 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -19,6 +19,8 @@ import re import json import xml.etree.ElementTree as xml +from datetime import timedelta +from uuid import uuid4 from sigma.config.mapping import ( SimpleFieldMapping, MultiFieldMapping, ConditionalFieldMapping @@ -423,6 +425,28 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): return tactics, technics + def timeframeToDelta(self, timeframe): + time_unit = timeframe[-1:] + duration = int(timeframe[:-1]) + return ( + time_unit == "s" and timedelta(seconds=duration) or + time_unit == "m" and timedelta(minutes=duration) or + time_unit == "h" and timedelta(hours=duration) or + time_unit == "d" and timedelta(days=duration) or + None + ) + + def iso8601_duration(self, delta): + if not delta: + return "PT0S" + if not delta.seconds: + return "P%dD" % (delta.days) + days = delta.days and "%dD" % (delta.days) or "" + hours = delta.seconds // 3600 % 24 and "%dH" % (delta.seconds // 3600 % 24) or "" + minutes = delta.seconds // 60 % 60 and "%dM" % (delta.seconds // 60 % 60) or "" + seconds = delta.seconds % 60 and "%dS" % (delta.seconds % 60) or "" + return "P%sT%s%s%s" % (days, hours, minutes, seconds) + def create_rule(self, config): tags = config.get("tags", []) @@ -430,17 +454,21 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): tactics, technics = self.skip_tactics_or_techniques(technics, tactics) tactics = list(map(lambda s: s.replace(" ", ""), tactics)) + timeframe = self.timeframeToDelta(config["detection"].setdefault("timeframe", "30m")) + queryDuration = self.iso8601_duration(timeframe) + suppressionDuration = self.iso8601_duration(timeframe * 5) + rule = { "displayName": "{} by {}".format(config.get("title"), config.get('author')), "description": "{} {}".format(config.get("description"), "Technique: {}.".format(",".join(technics))), "severity": self.parse_severity(config.get("level", "medium")), "enabled": True, "query": config.get("translation"), - "queryFrequency": "12H", - "queryPeriod": "12H", + "queryFrequency": queryDuration, + "queryPeriod": queryDuration, "triggerOperator": "GreaterThan", "triggerThreshold": 0, - "suppressionDuration": "12H", + "suppressionDuration": suppressionDuration, "suppressionEnabled": True, "tactics": tactics } @@ -455,3 +483,66 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): return rule else: raise NotSupportedError("No table could be determined from Sigma rule") + +class SentinelBackend(AzureAPIBackend): + """Converts Sigma rule into Azure Sentinel scheduled alert rule ARM template.""" + identifier = "sentinel-rule" + active = True + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + def generate(self, sigmaparser): + translation = super().generate(sigmaparser) + if translation: + configs = sigmaparser.parsedyaml + configs.update({"translation": translation}) + rule = self.create_sentinel_rule(configs) + return json.dumps(rule) + + def create_sentinel_rule(self, config): + # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/child-resource-name-type#outside-parent-resource + # https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces?tabs=json + # https://docs.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update#scheduledalertrule + properties = json.loads(config.get("translation")) + properties.update({ + "incidentConfiguration": { + "createIncident": True, + "groupingConfiguration": { + "enabled": False, + "reopenClosedIncident": False, + "lookbackDuration": properties['suppressionDuration'], + "matchingMethod": "AllEntities", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [], + }, + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert", + }, + "alertDetailsOverride": None, + "customDetails": None, + "templateVersion": "1.0.0", + }) + rule_uuid = config.get("id", str(uuid4())) + return { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "type": "String", + }, + }, + "resources": [ + { + "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/" + rule_uuid + "')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/" + rule_uuid + "')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + + "kind": "Scheduled", + "properties": properties, + }, + ], + } From 5f271bf33437527faac1e0b0c0fea428e94624d4 Mon Sep 17 00:00:00 2001 From: Nico <44952997+ncrqnt@users.noreply.github.com> Date: Mon, 30 Aug 2021 08:29:07 +0200 Subject: [PATCH 008/127] add author field to elastic rule --- tools/sigma/backends/elasticsearch.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 76620993..b84773d1 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1622,7 +1622,17 @@ class ElasticSearchRuleBackend(object): else: references.append(add_ref_yml) + # add author filed depending on data type in rule file + author = configs.get("author", "") + if isinstance(author, str): + author_list = author.split(', ') + elif isinstance(author, list): + author_list = author + else: + author_list = [] + rule = { + "author": author_list, "description": configs.get("description", ""), "enabled": True, "false_positives": falsepositives, From 00dec96245c7313bcdb9e3a02c5b003db4f36ef9 Mon Sep 17 00:00:00 2001 From: Nico <44952997+ncrqnt@users.noreply.github.com> Date: Mon, 30 Aug 2021 08:45:21 +0200 Subject: [PATCH 009/127] Add support for subtechniques --- tools/sigma/backends/elasticsearch.py | 40 ++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index b84773d1..b4768874 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1479,6 +1479,10 @@ class ElasticSearchRuleBackend(object): def create_threat_description(self, tactics_list, techniques_list): threat_list = list() + # sort lists for correct handling with subtechniques + tactics_list.sort(key=lambda x: x['external_id'], reverse=False) + techniques_list.sort(key=lambda x: x['technique_id'], reverse=False) + for tactic in tactics_list: temp_tactics = { "tactic": { @@ -1496,6 +1500,23 @@ class ElasticSearchRuleBackend(object): "name": tech.get("technique", ""), "reference": tech.get("url", "") }) + elif re.match('[T][0-9]{4}.[0-9]{3}', tech.get("technique_id", ""), re.IGNORECASE): + # add subtechnique to main technique + technique = tech.get("technique_id", "").split(".")[0] + technique_entry = list(filter(lambda temp_techniques: temp_techniques['id'] == technique, temp_techniques)) + + if technique_entry: + index = temp_techniques.index(technique_entry[0]) + temp_subtechniques = temp_techniques[index].get("subtechnique", []) + temp_subtechniques.append( + { + "id": tech.get("technique_id", ""), + "name": tech.get("technique", ""), + "reference": tech.get("url", "") + } + ) + temp_techniques[index].update({"subtechnique": temp_subtechniques}) + temp_tactics.update({"technique": temp_techniques}) threat_list.append(temp_tactics) return threat_list @@ -1559,8 +1580,20 @@ class ElasticSearchRuleBackend(object): technics_list = list() new_tags = list() + # sort tags so it looks nice :) + tags.sort() + for tag in tags: tag = tag.replace("attack.", "") + # if there's a subtechnique, add main technique to the list if not already there + if re.match("[t][0-9]{4}.[0-9]{3}", tag, re.IGNORECASE): + technique = tag.split('.')[0] + if technique not in tags and technique.title() not in new_tags: + tech = self.find_technique(technique.title()) + if tech: + new_tags.append(technique.title()) + technics_list.append(tech) + if re.match("[t][0-9]{4}", tag, re.IGNORECASE): tech = self.find_technique(tag.title()) if tech: @@ -1582,8 +1615,13 @@ class ElasticSearchRuleBackend(object): else: tact = self.find_tactics(key_name=tag.title()) if tact: - new_tags.append(tag.title()) tactics_list.append(tact) + + # capitalize if not a MITRE CAR tag + if re.match("car.\d{4}-\d{2}-\d{3}", tag, re.IGNORECASE): + new_tags.append(tag) + else: + new_tags.append(tag.title()) if self.custom_tag: if ',' in self.custom_tag: From acf59f9795b6d1cfd61170b681777624d5f7205e Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 30 Aug 2021 19:49:44 +0200 Subject: [PATCH 010/127] Fix some errors --- .../powershell_suspicious_keywords.yml | 32 ++++++++++--------- .../powershell/powershell_wmimplant.yml | 2 ++ ...shell_wsman_com_provider_no_powershell.yml | 9 +++--- 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 35673048..17910236 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/08/18 +modified: 2021/08/30 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -17,21 +17,23 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Script block logging must be enabled for 4104 detection: - keywords: - - "System.Reflection.Assembly.Load($" - - "[System.Reflection.Assembly]::Load($" - - "[Reflection.Assembly]::Load($" - - "System.Reflection.AssemblyName" - - "Reflection.Emit.AssemblyBuilderAccess" - - "Runtime.InteropServices.DllImportAttribute" - - "SuspendThread" - - "rundll32" - # - "FromBase64" - - "Invoke-WMIMethod" - - "http://127.0.0.1" - condition: keywords + framework: + EventID: 4104 + ScriptBlockText|contains: + - "System.Reflection.Assembly.Load($" + - "[System.Reflection.Assembly]::Load($" + - "[Reflection.Assembly]::Load($" + - "System.Reflection.AssemblyName" + - "Reflection.Emit.AssemblyBuilderAccess" + - "Runtime.InteropServices.DllImportAttribute" + - "SuspendThread" + - "rundll32" + # - "FromBase64" + - "Invoke-WMIMethod" + - "http://127.0.0.1" + condition: framework falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index ec0915ff..9ed475bd 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -11,12 +11,14 @@ tags: - attack.t1086 #an old one author: NVISO date: 2020/03/26 +modified: 2021/08/30 logsource: product: windows service: powershell definition: Script block logging must be enabled detection: selection: + EventID: 4104 ScriptBlockText|contains: - "WMImplant" - " change_user " diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml index 7b26a54e..d3b87330 100644 --- a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -3,7 +3,7 @@ id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. status: experimental date: 2020/06/24 -modified: 2021/05/21 +modified: 2021/08/30 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -16,12 +16,13 @@ references: - https://github.com/bohops/WSMan-WinRM logsource: product: windows - service: powershell + service: powershell-classic + definition: fields have to be extract from event detection: selection: - - 'ProviderName=WSMan' + ProviderName: WSMan filter: - - 'HostApplication=*powershell' + HostApplication|contains: powershell condition: selection and not filter falsepositives: - Unknown From e2bfaea10fcb318a1b7e236e41b6bd5d9c9dab22 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 31 Aug 2021 11:35:54 +0545 Subject: [PATCH 011/127] Added new malwarebytes reference for Cab File Expansion rule --- rules/windows/process_creation/sysmon_expand_cabinet_files.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml index 8b9f3f8b..ca64083b 100644 --- a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml @@ -3,9 +3,11 @@ status: experimental id: 9f107a84-532c-41af-b005-8d12a607639f author: Bhabesh Raj date: 2021/07/30 +modified: 2021/08/31 description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll + - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ tags: - attack.execution - attack.t1218 From 89e21c69ef78f9e152537a333555387be36295be Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 09:07:54 +0200 Subject: [PATCH 012/127] fix detection --- rules/windows/powershell/powershell_invoke_nightmare.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index 64e93f5a..a98b9bba 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -1,8 +1,9 @@ title: PrintNightmare Powershell Exploitation id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf -status: experimental +status: test description: Detects Commandlet name for PrintNightmare exploitation. date: 2021/08/09 +modified: 2021/08/31 references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski @@ -13,7 +14,7 @@ logsource: detection: selection: EventID: 4104 - ScriptBlockText: Invoke-Nightmare + ScriptBlockText|contains: Invoke-Nightmare condition: selection falsepositives: - Unknown From 911c45201a8082a6c08fd6004bf351db723c16f9 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 31 Aug 2021 13:02:53 +0545 Subject: [PATCH 013/127] Added -F option support --- rules/windows/process_creation/sysmon_expand_cabinet_files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml index ca64083b..b05acd63 100644 --- a/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/windows/process_creation/sysmon_expand_cabinet_files.yml @@ -21,6 +21,7 @@ detection: CommandLine|contains: - '.cab' - '/F:' + - '-F:' - 'C:\ProgramData\' #Suspicious paths to curb FPs if any - 'C:\Public\' - '\AppData\Local\Temp\' From abf40ecfbc1155de368083988918a7fb8c7814fe Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:50:11 +0200 Subject: [PATCH 014/127] fix: typo in URL --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 730c2ed0..ce92d132 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -573,7 +573,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with non-conform 'title' fields. Please check: https://github.com/SimaHQ/sigma/wiki/Rule-Creation-Guide#title") + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): faulty_rules = [] From 3155f7172db676163f665ccf01f5cea762b9ebe4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:51:16 +0200 Subject: [PATCH 015/127] detection for proxyshell MSF module --- ...hange_proxyshell_remove_mailbox_export.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml new file mode 100644 index 00000000..d9c8fcfe --- /dev/null +++ b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml @@ -0,0 +1,23 @@ +title: Remove Exported Mailbox from Exchange Webserver +id: 09570ae5-889e-43ea-aac0-0e1221fb3d95 +status: experimental +description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit +references: + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 +author: Christian Burkard +date: 2021/08/27 +logsource: + service: msexchange-management + product: windows +detection: + command: + - 'Remove-MailboxExportRequest' + - ' -Identity ' + - ' -Confirm "False"' + condition: all of command +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1070 From 50b8ca51109cd26de16de684319de063e571c40a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:20:39 +0200 Subject: [PATCH 016/127] add more COM interfaces and sharpen rule logic --- .../win_cmstp_com_object_access.yml | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 877d398a..f0dc77b3 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -1,7 +1,7 @@ title: CMSTP UAC Bypass via COM Object Access id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 status: stable -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects +description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) tags: - attack.execution - attack.defense_evasion @@ -12,23 +12,28 @@ tags: - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 -author: Nik Seetharaman +author: Nik Seetharaman, Christian Burkard modified: 2019/07/31 -date: 2019/01/16 +date: 2021/08/31 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf + - https://github.com/hfiref0x/UACME logsource: category: process_creation product: windows detection: - selection1: - ParentCommandLine|contains: '\DllHost.exe ' - selection2: - ParentCommandLine|endswith: - - '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - - '{3E000D72-A845-4CD9-BD83-80C07C3B881F}' - condition: selection1 and selection2 + selection: + ParentImage|endswith: '\DllHost.exe' + IntegrityLevel: 'High' + ParentCommandLine|contains: + - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' + - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' + - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' + - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' + condition: selection fields: - CommandLine - ParentCommandLine From ea77d9161ece00e6f9e4fcb316332dd8023c6f6a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:30:03 +0200 Subject: [PATCH 017/127] add another possible sdclt uac bypass registry path --- .../registry_event/sysmon_uac_bypass_sdclt.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 5a91724f..f05853b8 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -1,21 +1,25 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental -description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand +description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -author: Omer Yampel + - https://github.com/hfiref0x/UACME +author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2020/09/06 +modified: 2021/08/31 logsource: category: registry_event product: windows detection: - selection: + selection1: # usrclass.dat is mounted on HKU\USERSID_Classes\... TargetObject|startswith: 'HKU\' TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' - condition: selection + selection2: + TargetObject|endswith: '-1???_Classes\Folder\shell\open\command\SymbolicLinkValue' + Details|contains: '-1???\Software\Classes\' + condition: 1 of selection* tags: - attack.defense_evasion - attack.privilege_escalation From 3a9e10d081f4f005abf68f938a024470888f98c6 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 12:45:07 +0200 Subject: [PATCH 018/127] bulk of new rules to match working UACMe UAC bypasses --- .../sysmon_uac_bypass_cleanmgr_tmpfile.yml | 25 ++++++++++++++ .../sysmon_uac_bypass_consent_comctl32.yml | 23 +++++++++++++ .../sysmon_uac_bypass_dotnet_profiler.yml | 23 +++++++++++++ .../file_event/sysmon_uac_bypass_ieinstal.yml | 24 ++++++++++++++ .../sysmon_uac_bypass_msconfig_gui.yml | 23 +++++++++++++ .../sysmon_uac_bypass_ntfs_reparse_point.yml | 23 +++++++++++++ .../file_event/sysmon_uac_bypass_winsat.yml | 25 ++++++++++++++ .../file_event/sysmon_uac_bypass_wmp.yml | 26 +++++++++++++++ .../sysmon_uac_bypass_wow64_logger.yml | 24 ++++++++++++++ .../win_hktl_uacme_uac_bypass.yml | 24 ++++++++++++++ .../win_uac_bypass_changepk_slui.yml | 26 +++++++++++++++ .../win_uac_bypass_cleanmgr.yml | 24 ++++++++++++++ .../win_uac_bypass_consent_comctl32.yml | 24 ++++++++++++++ .../win_uac_bypass_dismhost.yml | 33 +++++++++++++++++++ .../win_uac_bypass_ieinstal.yml | 24 ++++++++++++++ .../win_uac_bypass_msconfig_gui.yml | 24 ++++++++++++++ .../win_uac_bypass_ntfs_reparse_point.yml | 32 ++++++++++++++++++ .../win_uac_bypass_pkgmgr_dism.yml | 24 ++++++++++++++ .../win_uac_bypass_winsat.yml | 24 ++++++++++++++ .../process_creation/win_uac_bypass_wmp.yml | 27 +++++++++++++++ .../win_uac_bypass_wsreset.yml | 25 ++++++++++++++ .../sysmon_uac_bypass_shell_open.yml | 24 ++++++++++++++ .../sysmon_uac_bypass_winsat.yml | 25 ++++++++++++++ .../registry_event/sysmon_uac_bypass_wmp.yml | 23 +++++++++++++ 24 files changed, 599 insertions(+) create mode 100644 rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_winsat.yml create mode 100644 rules/windows/file_event/sysmon_uac_bypass_wmp.yml create mode 100644 rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml create mode 100644 rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_changepk_slui.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_cleanmgr.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_dismhost.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_ieinstal.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_winsat.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_wmp.yml create mode 100644 rules/windows/process_creation/win_uac_bypass_wsreset.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_winsat.yml create mode 100644 rules/windows/registry_event/sysmon_uac_bypass_wmp.yml diff --git a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml new file mode 100644 index 00000000..fca1e671 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Using Cleanmgr Temp File Creation +id: 6a8a8a65-15ac-4722-adb7-c93c213c180a +description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + Image: 'C:\Windows\system32\cleanmgr.exe' + TargetFilename|startswith: 'C:\Users\' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: '.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml new file mode 100644 index 00000000..da6b278e --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using Consent and Comctl32 - File +id: 62ed5b55-f991-406a-85d9-e8e8fdf18789 +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@' + TargetFilename|endswith: '\comctl32.dll' + condition: selection \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml new file mode 100644 index 00000000..574a79b9 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using .NET Code Profiler on MMC +id: 93a19907-d4f9-4deb-9f91-aac4692776a6 +description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml new file mode 100644 index 00000000..6e61f089 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using IEInstal - File +id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb +description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + Image: 'C:\Program Files\Internet Explorer\IEInstal.exe' + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml new file mode 100644 index 00000000..cc0d08e6 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using MSConfig Token Modification - File +id: 41bb431f-56d8-4691-bb56-ed34e390906f +description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml new file mode 100644 index 00000000..4c8b8198 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using NTFS Reparse Point - File +id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1 +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml new file mode 100644 index 00000000..74017b15 --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Abusing Winsat Path Parsing - File +id: 155dbf56-e0a4-4dd0-8905-8a98705045e8 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: + - '\AppData\Local\Temp\system32\winsat.exe' + - '\AppData\Local\Temp\system32\winmm.dll' + condition: selection diff --git a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml new file mode 100644 index 00000000..efb7a09c --- /dev/null +++ b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml @@ -0,0 +1,26 @@ +title: UAC Bypass Using Windows Media Player - File +id: 68578b43-65df-4f81-9a9b-92f32711a951 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: file_event + product: windows +detection: + selection1: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll' + selection2: + Image: 'C:\Windows\system32\DllHost.exe' + TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe' + condition: 1 of selection* diff --git a/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml b/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml new file mode 100644 index 00000000..bf6ac9d8 --- /dev/null +++ b/rules/windows/process_access/sysmon_uac_bypass_wow64_logger.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using WOW64 Logger DLL Hijack +id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c +description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_access + product: windows +detection: + selection: + SourceImage|contains: ':\Windows\SysWOW64\' + GrantedAccess: '0x1fffff' + CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml new file mode 100644 index 00000000..09ac275e --- /dev/null +++ b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Tool UACMe +id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177 +description: Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + - Product: 'UACMe' + - Company: 'REvol Corp' + - OriginalFileName: 'Akagi.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml new file mode 100644 index 00000000..b7c37d4e --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml @@ -0,0 +1,26 @@ +title: UAC Bypass Using ChangePK and SLUI +id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc +description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\changepk.exe' + ParentImage|endswith: '\slui.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml new file mode 100644 index 00000000..91546a9b --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Disk Cleanup +id: b697e69c-746f-4a86-9f59-7bfff8eab881 +description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' + ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' + IntegrityLevel: 'High' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml new file mode 100644 index 00000000..61fb4b62 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Consent and Comctl32 - Process +id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085 +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\consent.exe' + Image|endswith: '\werfault.exe' + IntegrityLevel: 'System' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml new file mode 100644 index 00000000..f0c206f6 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -0,0 +1,33 @@ +title: UAC Bypass Using DismHost +id: 853e74f9-9392-4935-ad3b-2e8c040dae86 +description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + ParentImage|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\DismHost.exe' + IntegrityLevel: 'High' + selection2: + Image|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\DismHost.exe' + IntegrityLevel: 'High' + ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml new file mode 100644 index 00000000..e45aa045 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using IEInstal - Process +id: 80fc36aa-945e-4181-89f2-2f907ab6775d +description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\ieinstal.exe' + Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml new file mode 100644 index 00000000..7d2f6aae --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using MSConfig Token Modification - Process +id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980 +description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' + CommandLine: '"C:\Windows\system32\msconfig.exe" -5' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml new file mode 100644 index 00000000..a0f828e8 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -0,0 +1,32 @@ +title: UAC Bypass Using NTFS Reparse Point - Process +id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7 +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' + CommandLine|endswith: '\AppData\Local\Temp\update.msu' + IntegrityLevel: 'High' + selection2: + ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' + IntegrityLevel: 'High' + CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\Temp\' + - '\dismhost.exe {' + Image|endswith: '\DismHost.exe' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml new file mode 100644 index 00000000..570938ee --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using PkgMgr and DISM +id: a743ceba-c771-4d75-97eb-8a90f7f4844c +description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\pkgmgr.exe' + Image|endswith: '\dism.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml new file mode 100644 index 00000000..49773539 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Abusing Winsat Path Parsing - Process +id: 7a01183d-71a2-46ad-ad5c-acd989ac1793 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: 'High' + ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' + ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' + condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml new file mode 100644 index 00000000..6b1691be --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -0,0 +1,27 @@ +title: UAC Bypass Using Windows Media Player - Process +id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: 'C:\Program Files\Windows Media Player\osk.exe' + IntegrityLevel: 'High' + selection2: + Image: 'C:\Windows\System32\cmd.exe' + ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + IntegrityLevel: 'High' + condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_wsreset.yml b/rules/windows/process_creation/win_uac_bypass_wsreset.yml new file mode 100644 index 00000000..e45b8880 --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_wsreset.yml @@ -0,0 +1,25 @@ +title: UAC Bypass WSReset +id: 89a9a0e0-f61a-42e5-8957-b1479565a658 +description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wsreset.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml new file mode 100644 index 00000000..7f73e937 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -0,0 +1,24 @@ +title: UAC Bypass Using Registry Shell Open Keys +id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 +description: Detects the pattern of UAC Bypass using fodhelper.exe or computerdefaults.exe via registry keys (UACMe 33 or 62) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + Image: C:\Windows\explorer.exe + TargetObject|endswith: '-1???_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + Details|contains: '-1???\Software\Classes\{' + condition: selection diff --git a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml new file mode 100644 index 00000000..5d375369 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml @@ -0,0 +1,25 @@ +title: UAC Bypass Abusing Winsat Path Parsing - Registry +id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +author: Christian Burkard +date: 2021/08/30 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' + TargetObject|endswith: '\LowerCaseLongPath' + Details|startswith: 'c:\users\' + Details|endswith: '\appdata\local\temp\system32\winsat.exe' + condition: selection diff --git a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml new file mode 100644 index 00000000..ce2652e0 --- /dev/null +++ b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml @@ -0,0 +1,23 @@ +title: UAC Bypass Using Windows Media Player - Registry +id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +falsepositives: + - Unknown +level: high +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' + Details: 'Binary Data' + condition: selection From 18cdc36d73be4314fefe8ef630802c18270eaa86 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 13:44:54 +0200 Subject: [PATCH 019/127] Fix EventID 4103 detection --- .../powershell/powershell_remote_powershell_session.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index e8e29b1a..652741eb 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -2,7 +2,7 @@ action: global title: Remote PowerShell Session id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions -status: experimental +status: test date: 2019/08/10 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g @@ -25,9 +25,10 @@ logsource: definition: Module Logging must be enable and fields have to be extract from event detection: selection: - EventID: 4103 - HostName: 'ServerRemoteHost' - HostApplication|contains: 'wsmprovhost.exe' + EventID: 4103 + ContextInfo|contains|all: + - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = + - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = condition: selection --- logsource: From eb434732a74cd5db3da7b803e28a9561c58e943c Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 31 Aug 2021 13:48:07 +0200 Subject: [PATCH 020/127] move rule not only powershell --- .../{powershell => builtin}/win_powershell_web_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/{powershell => builtin}/win_powershell_web_request.yml (96%) diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/builtin/win_powershell_web_request.yml similarity index 96% rename from rules/windows/powershell/win_powershell_web_request.yml rename to rules/windows/builtin/win_powershell_web_request.yml index 37e172c9..54319f96 100644 --- a/rules/windows/powershell/win_powershell_web_request.yml +++ b/rules/windows/builtin/win_powershell_web_request.yml @@ -2,7 +2,7 @@ action: global title: Windows PowerShell Web Request id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental -description: Detects the use of various web request methods (including aliases) via Windows PowerShell +description: Detects the use of various web request methods (including aliases) via Windows PowerShell command references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell From 6eb7245673a1288943b9f92f2d122840415e9622 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 15:58:57 +0200 Subject: [PATCH 021/127] fix: remove user sid, match any sid instead --- .../windows/registry_event/sysmon_uac_bypass_shell_open.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 7f73e937..38c9c889 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -18,7 +18,6 @@ logsource: product: windows detection: selection: - Image: C:\Windows\explorer.exe - TargetObject|endswith: '-1???_Classes\ms-settings\shell\open\command\SymbolicLinkValue' - Details|contains: '-1???\Software\Classes\{' + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + Details|contains: '\Software\Classes\{' condition: selection From 9dc8d3856561d6ee77c8354f9af540dbd8464fb8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 31 Aug 2021 09:14:14 -0500 Subject: [PATCH 022/127] Create sysmon_dns_over_https_enabled.yml --- .../sysmon_dns_over_https_enabled.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_dns_over_https_enabled.yml diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml new file mode 100644 index 00000000..e3ba5eb6 --- /dev/null +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -0,0 +1,34 @@ +title: DNS-over-HTTPS Enabled by Registry +id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 +date: 2021/07/22 +description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. +author: Austin Songer +status: experimental +references: + - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html + - https://github.com/elastic/detection-rules/issues/1371 + - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + Details: 'DWORD (1)' + selection2: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + Details: 'DWORD (secure)' + selection3: + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + Details: 'DWORD (1)' + condition: selection1 or selection2 or selection3 +falsepositives: +- Unlikely +level: medium From 59d8e0b8668dd8762723e8bed3de11ad877bd7b5 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 16:18:05 +0200 Subject: [PATCH 023/127] add System IntegrityLevel to uac bypass rules, the level is not used most of the time, but might --- .../process_creation/win_cmstp_com_object_access.yml | 4 +++- .../process_creation/win_uac_bypass_changepk_slui.yml | 4 +++- .../windows/process_creation/win_uac_bypass_cleanmgr.yml | 4 +++- .../process_creation/win_uac_bypass_consent_comctl32.yml | 4 +++- .../windows/process_creation/win_uac_bypass_dismhost.yml | 8 ++++++-- .../windows/process_creation/win_uac_bypass_ieinstal.yml | 4 +++- .../process_creation/win_uac_bypass_msconfig_gui.yml | 4 +++- .../win_uac_bypass_ntfs_reparse_point.yml | 8 ++++++-- .../process_creation/win_uac_bypass_pkgmgr_dism.yml | 6 ++++-- rules/windows/process_creation/win_uac_bypass_winsat.yml | 4 +++- rules/windows/process_creation/win_uac_bypass_wmp.yml | 8 ++++++-- rules/windows/process_creation/win_uac_bypass_wsreset.yml | 4 +++- 12 files changed, 46 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index f0dc77b3..7a12cc4a 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -26,7 +26,9 @@ logsource: detection: selection: ParentImage|endswith: '\DllHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentCommandLine|contains: - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' diff --git a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml index b7c37d4e..35c63c90 100644 --- a/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/win_uac_bypass_changepk_slui.yml @@ -19,7 +19,9 @@ detection: selection: Image|endswith: '\changepk.exe' ParentImage|endswith: '\slui.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml index 91546a9b..3ed387b3 100644 --- a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -20,5 +20,7 @@ detection: selection: CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml index 61fb4b62..e690075d 100644 --- a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -20,5 +20,7 @@ detection: selection: ParentImage|endswith: '\consent.exe' Image|endswith: '\werfault.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'High' + - 'System' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index f0c206f6..6647013e 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -22,12 +22,16 @@ detection: - 'C:\Users\' - '\AppData\Local\Temp\' - '\DismHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: Image|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' - '\DismHost.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index e45aa045..a6458810 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\ieinstal.exe' Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml index 7d2f6aae..a7d65fd2 100644 --- a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml index a0f828e8..4319cada 100644 --- a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -20,10 +20,14 @@ detection: selection1: CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' CommandLine|endswith: '\AppData\Local\Temp\update.msu' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' diff --git a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml index 570938ee..75d1a14d 100644 --- a/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -17,8 +17,10 @@ detection: selection: ParentImage|endswith: '\pkgmgr.exe' Image|endswith: '\dism.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml index 49773539..c9ec3b38 100644 --- a/rules/windows/process_creation/win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml index 6b1691be..25ab25c7 100644 --- a/rules/windows/process_creation/win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -19,9 +19,13 @@ logsource: detection: selection1: Image: 'C:\Program Files\Windows Media Player\osk.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' selection2: Image: 'C:\Windows\System32\cmd.exe' ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: 1 of selection* diff --git a/rules/windows/process_creation/win_uac_bypass_wsreset.yml b/rules/windows/process_creation/win_uac_bypass_wsreset.yml index e45b8880..8e4707a9 100644 --- a/rules/windows/process_creation/win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/win_uac_bypass_wsreset.yml @@ -18,7 +18,9 @@ logsource: detection: selection: Image|endswith: '\wsreset.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'System' condition: selection falsepositives: - Unknown From add1ad40f86969cc0ca302b3d12d8b4590feed24 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 31 Aug 2021 16:23:32 +0200 Subject: [PATCH 024/127] additional UAC bypass rule --- .../win_uac_bypass_computerdefaults.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_uac_bypass_computerdefaults.yml diff --git a/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml new file mode 100644 index 00000000..6677408e --- /dev/null +++ b/rules/windows/process_creation/win_uac_bypass_computerdefaults.yml @@ -0,0 +1,29 @@ +title: UAC Bypass Using ComputerDefaults +id: 3c05e90d-7eba-4324-9972-5d7f711a60a8 +description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) +author: Christian Burkard +date: 2021/08/31 +status: experimental +references: + - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + IntegrityLevel: + - 'High' + - 'System' + Image: 'C:\Windows\System32\ComputerDefaults.exe' + filter: + ParentImage|contains: + - ':\Windows\System32' + - ':\Program Files' + condition: selection and not filter +falsepositives: + - Unknown +level: high From cff572b7527e251f5024f8dfc1bef1a13f36785d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 31 Aug 2021 17:11:04 +0200 Subject: [PATCH 025/127] Update sysmon_dns_over_https_enabled.yml --- .../registry_event/sysmon_dns_over_https_enabled.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index e3ba5eb6..c7687eed 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -17,16 +17,13 @@ logsource: category: registry_event detection: selection1: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection2: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection3: - TargetObject: - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' + TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS' Details: 'DWORD (1)' condition: selection1 or selection2 or selection3 falsepositives: From 9b2006027546b922d4a8ca34585ea55aca9a4a0b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 31 Aug 2021 17:14:19 +0200 Subject: [PATCH 026/127] SideWalk UA --- rules/proxy/proxy_ua_apt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 0c51fd03..d7298a8c 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -50,6 +50,7 @@ detection: - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ + - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin condition: selection fields: - ClientIP From 6f3fc7036e69b1af20005213ab55540f783d23b6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 09:45:31 +0200 Subject: [PATCH 027/127] Update tags --- rules/windows/malware/av_hacktool.yml | 2 ++ rules/windows/powershell/powershell_invoke_nightmare.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml index fe2fa7cf..e074241f 100644 --- a/rules/windows/malware/av_hacktool.yml +++ b/rules/windows/malware/av_hacktool.yml @@ -23,3 +23,5 @@ fields: falsepositives: - Unlikely level: high +tags: + - attack.execution \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml index a98b9bba..553f535e 100644 --- a/rules/windows/powershell/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_invoke_nightmare.yml @@ -19,3 +19,5 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.privilege_escalation From 240c5584ffa6e8e54f64dedfbdcba30ddcc780c3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 09:56:46 +0200 Subject: [PATCH 028/127] update tags --- rules/windows/malware/av_relevant_files.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index c200959a..fb82c313 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -72,3 +72,6 @@ fields: falsepositives: - Unlikely level: high +tags: + - attack.resource_development + - attack.t1588 \ No newline at end of file From 9ffdced740a0380f642a6c8ecaef5f22cb0044cc Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 10:21:37 +0200 Subject: [PATCH 029/127] fix: implement suggestions from PR discussion --- rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml | 3 ++- rules/windows/process_creation/win_uac_bypass_ieinstal.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml index 6e61f089..9ba625f0 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -20,5 +20,6 @@ detection: selection: Image: 'C:\Program Files\Internet Explorer\IEInstal.exe' TargetFilename|startswith: 'C:\Users\' - TargetFilename|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'consent.exe' condition: selection diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index a6458810..7c734ccf 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -22,5 +22,6 @@ detection: - 'High' - 'System' ParentImage|endswith: '\ieinstal.exe' - Image|endswith: '\AppData\Local\Temp\IDC1.tmp\[1]consent.exe' + Image|contains: '\AppData\Local\Temp\' + Image|endswith: 'consent.exe' condition: selection From 4b8ffbc183c597e448e8a1a09b7aeddbda3fd406 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 10:30:43 +0200 Subject: [PATCH 030/127] Update tags --- rules/windows/malware/win_mal_ryuk.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index 02603871..156ee19a 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -24,3 +24,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.execution + - attack.t1204 From 892c58270a1985fe38ff9ca4875539d92c84c65e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 10:33:57 +0200 Subject: [PATCH 031/127] Update tags --- rules/windows/builtin/win_av_relevant_match.yml | 3 +++ rules/windows/malware/win_mal_darkside.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index fd321a9a..da2e8dce 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -36,3 +36,6 @@ detection: falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools level: high +tags: + - attack.resource_development + - attack.t1588 \ No newline at end of file diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml index 26d609be..e050210d 100644 --- a/rules/windows/malware/win_mal_darkside.yml +++ b/rules/windows/malware/win_mal_darkside.yml @@ -26,3 +26,6 @@ falsepositives: - Unknown - UAC bypass method used by other malware level: critical +tags: + - attack.execution + - attack.t1204 From 6859b6c38f4d748ee335a400998cb6ac6313ebc0 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 1 Sep 2021 15:24:47 +0545 Subject: [PATCH 032/127] Added rule for detection of Atera RMM Agent installation --- .../win_software_atera_rmm_agent_install.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/builtin/win_software_atera_rmm_agent_install.yml diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml new file mode 100644 index 00000000..b3a7f22b --- /dev/null +++ b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml @@ -0,0 +1,22 @@ +title: Atera Agent Installation +id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 +status: experimental +description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators +references: + - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent +date: 2021/09/01 +author: Bhabesh Raj +level: high +logsource: + service: application + product: windows +tags: + - attack.t1219 +detection: + selection: + EventID: 1033 + Source: MsiInstaller + Message|contains: AteraAgent + condition: selection +falsepositives: + - Legitimate Atera agent installation \ No newline at end of file From 2cb5f5e4c64fbf3c837c47f632056d0f6e300518 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 12:54:21 +0200 Subject: [PATCH 033/127] add missing tags --- rules/windows/builtin/win_ntfs_vuln_exploit.yml | 3 +++ .../windows/builtin/win_scm_database_privileged_operation.yml | 3 +++ rules/windows/builtin/win_susp_failed_guest_logon.yml | 3 +++ .../sysmon_susp_prog_location_network_connection.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/win_ntfs_vuln_exploit.yml index 3efcaf88..060a8262 100644 --- a/rules/windows/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unlikely level: critical +tags: + - attack.impact + - attack.t1499.001 \ No newline at end of file diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9501875a..5c59eb7e 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -21,3 +21,6 @@ detection: falsepositives: - Unknown level: critical +tags: + - attack.privilege_escalation + - attack.t1548 \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/builtin/win_susp_failed_guest_logon.yml index 0d7657d5..7a6fae07 100644 --- a/rules/windows/builtin/win_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml @@ -25,3 +25,6 @@ fields: - User falsepositives: - Account fallback reasons (after failed login with specific account) +tags: + - attack.credential_access + - attack.t1110.001 \ No newline at end of file diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index b8c4544d..f93c48f5 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -31,3 +31,6 @@ detection: falsepositives: - unknown level: high +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file From 8bba246205fcc9ac6fd0e37cfc6e053bf14a3d3e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 12:57:34 +0200 Subject: [PATCH 034/127] refactor: better way to write it --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 0dde4962..8cc330fb 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -22,11 +22,10 @@ detection: selection2: Source: 'Windows Error Reporting' EventID: 1001 - keyword1: + keywords: - 'MsMpEng.exe' - keyword2: - 'mpengine.dll' - condition: 1 of selection* and keyword1 and keyword2 + condition: 1 of selection* and all of keywords falsepositives: - MsMpEng.exe can crash when C:\ is full level: high From f102b2d9a1149458069931c41f20bbc786c29a44 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:07:18 +0200 Subject: [PATCH 035/127] docs: note to improved sysmon config --- rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- .../pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 3075d846..89612067 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_MSSE: PipeName|contains|all: diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 97b9e587..16305648 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' diff --git a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index c9a3da84..da7bb0a7 100644 --- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection_malleable_profiles: PipeName|startswith: From 80dbfa7af5781efc858bcc3054788572ade46e55 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 13:52:09 +0200 Subject: [PATCH 036/127] add process_creation_alternate_data_streams.yml --- ...rocess_creation_alternate_data_streams.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_alternate_data_streams.yml diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml new file mode 100644 index 00000000..f98b1f01 --- /dev/null +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -0,0 +1,57 @@ +title: Execute From Alternate Data Streams +id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c +status: experimental +author: frack113 +date: 2021/0901 +description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + category: process_creation + product: windows +detection: + selection_stream: + CommandLine|contains: 'txt:' + selection_tools_type: + CommandLine|contains|all: + - 'type ' + - ' > ' + selection_tools_findstr: + CommandLine|contains|all: + - 'findstr ' + - ' /V ' + - ' /L ' + selection_tools_makecab: + CommandLine|contains|all: + - 'makecab ' + - '.cab' + selection_tools_dir: + CommandLine|contains|all: + - 'print ' + - '/D:' + selection_tools_reg: + CommandLine|contains|all: + - 'reg ' + - ' export ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_esentutl: + CommandLine|contains|all: + - 'esentutl ' + - ' /y ' + - ' /d ' + - ' /o ' + + condition: selection_stream and (1 of selection_tools_*) +falsepositives: + - Unknown +level: medium From affc929c3b49e3d3cbdb1cfce4cebc7e01573467 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:54:47 +0200 Subject: [PATCH 037/127] LiquidSnake named pipe --- rules/windows/pipe_created/sysmon_mal_namedpipes.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml index e425bf51..f8fbc077 100644 --- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -34,6 +34,7 @@ detection: - '\Posh*' #PoshC2 default - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake condition: selection tags: - attack.defense_evasion From e71fce6f11a11c1b14aebf59b47f1bfb42d8f8f2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 13:55:14 +0200 Subject: [PATCH 038/127] fix errors --- ...rocess_creation_alternate_data_streams.yml | 109 +++++++++--------- 1 file changed, 52 insertions(+), 57 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index f98b1f01..643417f3 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -1,57 +1,52 @@ -title: Execute From Alternate Data Streams -id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c -status: experimental -author: frack113 -date: 2021/0901 -description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md -tags: - - attack.defense_evasion - - attack.t1564.004 -logsource: - category: process_creation - product: windows -detection: - selection_stream: - CommandLine|contains: 'txt:' - selection_tools_type: - CommandLine|contains|all: - - 'type ' - - ' > ' - selection_tools_findstr: - CommandLine|contains|all: - - 'findstr ' - - ' /V ' - - ' /L ' - selection_tools_makecab: - CommandLine|contains|all: - - 'makecab ' - - '.cab' - selection_tools_dir: - CommandLine|contains|all: - - 'print ' - - '/D:' - selection_tools_reg: - CommandLine|contains|all: - - 'reg ' - - ' export ' - selection_tools_regedit: - CommandLine|contains|all: - - 'regedit ' - - ' /E ' - selection_tools_regedit: - CommandLine|contains|all: - - 'regedit ' - - ' /E ' - selection_tools_esentutl: - CommandLine|contains|all: - - 'esentutl ' - - ' /y ' - - ' /d ' - - ' /o ' - - condition: selection_stream and (1 of selection_tools_*) -falsepositives: - - Unknown -level: medium +title: Execute From Alternate Data Streams +id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c +status: experimental +author: frack113 +date: 2021/0901 +description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + category: process_creation + product: windows +detection: + selection_stream: + CommandLine|contains: 'txt:' + selection_tools_type: + CommandLine|contains|all: + - 'type ' + - ' > ' + selection_tools_findstr: + CommandLine|contains|all: + - 'findstr ' + - ' /V ' + - ' /L ' + selection_tools_makecab: + CommandLine|contains|all: + - 'makecab ' + - '.cab' + selection_tools_print: + CommandLine|contains|all: + - 'print ' + - '/D:' + selection_tools_reg: + CommandLine|contains|all: + - 'reg ' + - ' export ' + selection_tools_regedit: + CommandLine|contains|all: + - 'regedit ' + - ' /E ' + selection_tools_esentutl: + CommandLine|contains|all: + - 'esentutl ' + - ' /y ' + - ' /d ' + - ' /o ' + condition: selection_stream and (1 of selection_tools_*) +falsepositives: + - Unknown +level: medium From 8761927e8ce691486646adc8cc61c4364a5e2b29 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:17 +0200 Subject: [PATCH 039/127] rule: susp scrcons.exe creating named pipe --- .../sysmon_susp_wmi_consumer_namedpipe.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml new file mode 100644 index 00000000..1d4e7e24 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -0,0 +1,23 @@ +title: WMI Event Consumer Created Named Pipe +id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb +status: experimental +description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe +references: + - https://github.com/RiccardoAncarani/LiquidSnake +date: 2021/09/01 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' +detection: + selection: + Image|endswith: '\scrcons.exe' + condition: selection +falsepositives: + - Unknown +level: high From e787420be1d013c0f0ae93993d23e327b711ae70 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:36 +0200 Subject: [PATCH 040/127] rule: WMI filter content encoded executable --- .../sysmon_wmi_susp_encoded_scripts.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml new file mode 100644 index 00000000..03338301 --- /dev/null +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -0,0 +1,28 @@ +title: Suspicious Encoded Scripts in a WMI Consumer +id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b +status: experimental +description: Detects suspicious encoded payloads in WMI Event Consumers +author: Florian Roth +references: + - https://github.com/RiccardoAncarani/LiquidSnake +date: 2021/09/01 +tags: + - attack.t1086 # an old one + - attack.execution + - attack.t1059.005 +logsource: + product: windows + category: wmi_event +detection: + selection_destination: + - Destination|base64offset|contains: + - 'WriteProcessMemory' + - 'This program cannot be run in DOS mode' + - 'This program must be run under Win32' + condition: selection_destination +fields: + - User + - Operation +falsepositives: + - Unknown +level: high From 505140d273553f4a2db27b3323b26e5ca7ec10f6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 13:57:48 +0200 Subject: [PATCH 041/127] rule: extended WMI suspicious scripts rule --- .../windows/wmi_event/sysmon_wmi_susp_scripting.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index bea1f3af..e4b7fbf1 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -6,7 +6,9 @@ author: Florian Roth, Jonhnathan Ribeiro references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 + - https://github.com/RiccardoAncarani/LiquidSnake date: 2019/04/15 +modified: 2021/09/01 tags: - attack.t1086 # an old one - attack.execution @@ -15,8 +17,6 @@ logsource: product: windows category: wmi_event detection: - selection: - EventID: 20 selection_destination: - Destination|contains|all: - 'new-object' @@ -33,10 +33,13 @@ detection: - ' -noprofile ' - ' -decode ' - ' -enc ' - condition: selection and selection_destination + - Destination|contains: + - 'WScript.Shell' + - 'System.Security.Cryptography.FromBase64Transform' + condition: selection_destination fields: - - CommandLine - - ParentCommandLine + - User + - Operation falsepositives: - Administrative scripts level: high From 2dbbaf01809d6e8ce77109f59b174a039f649c75 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 14:00:55 +0200 Subject: [PATCH 042/127] fix missing char in date --- .../process_creation_alternate_data_streams.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 643417f3..7460de70 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -2,7 +2,7 @@ title: Execute From Alternate Data Streams id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c status: experimental author: frack113 -date: 2021/0901 +date: 2021/09/01 description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md From 1aac21ba791a514e7ad3dac814765d56189f8a34 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 14:03:42 +0200 Subject: [PATCH 043/127] fix: single list item issue --- rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 03338301..84a04fba 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -15,7 +15,7 @@ logsource: category: wmi_event detection: selection_destination: - - Destination|base64offset|contains: + Destination|base64offset|contains: - 'WriteProcessMemory' - 'This program cannot be run in DOS mode' - 'This program must be run under Win32' From deefcaa8ac7e2b9eea10a725808f3e9ba1e35068 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 14:33:27 +0200 Subject: [PATCH 044/127] fix: prevent possible FPs with the respective command only used as the last parameter --- .../win_bad_opsec_sacrificial_processes.yml | 4 ++++ rules/windows/process_creation/win_susp_procs_req_dlls.yml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index bce196ae..efe436c9 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -4,6 +4,7 @@ status: experimental description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' date: 2020/10/23 +modified: 2021/09/01 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -16,6 +17,9 @@ logsource: product: windows detection: selection: + Image|endswith: + - '\WerFault.exe' + - '\rundll32.exe' CommandLine|endswith: - '\WerFault.exe' - '\rundll32.exe' diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml index d52158f8..dcbadaf4 100644 --- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -10,11 +10,17 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Florian Roth date: 2021/05/27 +modified: 2021/09/01 logsource: category: process_creation product: windows detection: selection: + Image|endswith: + - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' CommandLine|endswith: - '\rundll32.exe' - '\regsvcs.exe' From ae9966bdccbaf25e8e2be224424edf99ed9c1494 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 14:48:32 +0200 Subject: [PATCH 045/127] fix: unifying two overlapping rules --- .../win_bad_opsec_sacrificial_processes.yml | 22 ++++++++++- .../win_susp_procs_req_dlls.yml | 39 ------------------- 2 files changed, 20 insertions(+), 41 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_procs_req_dlls.yml diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index efe436c9..8fc81f3a 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -2,12 +2,17 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' -author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' +author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 modified: 2021/09/01 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec + - https://twitter.com/CyberRaiju/status/1251492025678983169 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - attack.t1085 # an old one @@ -20,10 +25,23 @@ detection: Image|endswith: - '\WerFault.exe' - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' CommandLine|endswith: - '\WerFault.exe' - '\rundll32.exe' - condition: selection + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' + filter1: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 +fields: + - ParentImage + - ParentCommandLine falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml deleted file mode 100644 index dcbadaf4..00000000 --- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Suspicious Process Start Without DLL -id: f5647edc-a7bf-4737-ab50-ef8c60dc3add -description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity -status: experimental -references: - - https://twitter.com/CyberRaiju/status/1251492025678983169 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback -author: Florian Roth -date: 2021/05/27 -modified: 2021/09/01 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' - CommandLine|endswith: - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' - filter1: - ParentImage|contains: - - '\AppData\Local\' - - '\Microsoft\Edge\' - condition: selection and not filter1 -fields: - - ParentImage - - ParentCommandLine -falsepositives: - - Possible but rare -level: high From 0b38237dbff215b899cf33ee134491a13601f541 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Sep 2021 15:38:29 +0200 Subject: [PATCH 046/127] fix: add relation to now obsolete rule --- .../process_creation/win_bad_opsec_sacrificial_processes.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 8fc81f3a..0b3481e0 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -1,6 +1,9 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental +related: + - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add + type: obsoletes description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 From 2f7f050ad811640809164b42e8ffc231b53e3952 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 16:32:27 +0200 Subject: [PATCH 047/127] fix: removed tags --- .../pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index 1d4e7e24..44954d47 100644 --- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -6,10 +6,6 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2021/09/01 author: Florian Roth -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 logsource: product: windows category: pipe_created From b0c2d7b75ae24dc49bbd860f6a7ce2698cd21154 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Sep 2021 16:34:50 +0200 Subject: [PATCH 048/127] fix: tags for WMI / execution / persistence --- rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 84a04fba..5388798c 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -7,9 +7,10 @@ references: - https://github.com/RiccardoAncarani/LiquidSnake date: 2021/09/01 tags: - - attack.t1086 # an old one - attack.execution - - attack.t1059.005 + - attack.t1047 + - attack.persistence + - attack.t1546.003 logsource: product: windows category: wmi_event From e83ee55573e0adf9cc15884b74036da1effe149e Mon Sep 17 00:00:00 2001 From: Konstantin Klinger Date: Wed, 1 Sep 2021 17:05:36 +0200 Subject: [PATCH 049/127] remove duplicate --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 150b8dda..429b3016 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -41,7 +41,6 @@ detection: - PipeName|re: '\\f53f[0-9a-f]{2}' - PipeName|re: '\\rpc_[0-9a-f]{2}' - PipeName|re: '\\spoolss_[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection falsepositives: From 457da818a40e8bd8f6174de94a0cdbae433d5181 Mon Sep 17 00:00:00 2001 From: Konstantin Klinger Date: Wed, 1 Sep 2021 17:06:55 +0200 Subject: [PATCH 050/127] regex optimisations --- .../pipe_created/sysmon_mal_cobaltstrike_re.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 429b3016..cd4c42d0 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -18,20 +18,15 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}' - - PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}' - - PipeName|re: '\\wkssvc[0-9a-f]{2}' - - PipeName|re: '\\wkssvc_[0-9a-f]{2}' + - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' + - PipeName|re: '\\wkssvc_?[0-9a-f]{2}' - PipeName|re: '\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-f[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-h[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}' + - PipeName|re: '\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' - - PipeName|re: '\\scerpc_[0-9a-f]{2}' - - PipeName|re: '\\scerpc[0-9a-f]{2}' + - PipeName|re: '\\scerpc_?[0-9a-f]{2}' - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}' - PipeName|re: '\\MsFteWds[0-9a-f]{2}' - PipeName|re: '\\f4c3[0-9a-f]{2}' From 1ba0a7c7a3557a43d87e14b3bd1d3917f24195c8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 19:38:35 +0200 Subject: [PATCH 051/127] add missing tags --- .../windows/file_event/sysmon_tsclient_filewrite_startup.yml | 3 +++ rules/windows/other/win_defender_amsi_trigger.yml | 5 ++++- rules/windows/other/win_defender_threat.yml | 3 +++ .../windows/registry_event/sysmon_reg_vbs_payload_stored.yml | 3 +++ .../registry_event/sysmon_sysinternals_eula_accepted.yml | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index c171dcdf..d11fd2b3 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -15,3 +15,6 @@ detection: falsepositives: - unknown level: high +tags: + - attack.command_and_control + - attack.t1219 \ No newline at end of file diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml index f872bf22..2478a55c 100644 --- a/rules/windows/other/win_defender_amsi_trigger.yml +++ b/rules/windows/other/win_defender_amsi_trigger.yml @@ -17,4 +17,7 @@ detection: condition: selection falsepositives: - unlikely -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1059 \ No newline at end of file diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/win_defender_threat.yml index 9721af7b..76413e11 100644 --- a/rules/windows/other/win_defender_threat.yml +++ b/rules/windows/other/win_defender_threat.yml @@ -20,3 +20,6 @@ detection: falsepositives: - unlikely level: high +tags: + - attack.execution + - attack.t1059 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 0104e1bf..058178fc 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -29,3 +29,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1547.001 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 717e6b93..e526a09c 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -11,6 +11,9 @@ falsepositives: - Legitimate use of SysInternals tools - Programs that use the same Registry Key level: low +tags: + - attack.resource_development + - attack.t1588.002 --- logsource: product: windows From e0cd35261cd47bc50ae84394ddef8f04a606c21e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Sep 2021 20:01:03 +0200 Subject: [PATCH 052/127] add missing tags --- .../process_creation/win_susp_cmd_shadowcopy_access.yml | 3 +++ .../windows/process_creation/win_susp_rundll32_inline_vbs.yml | 3 +++ .../process_creation/win_susp_screenconnect_access.yml | 3 +++ rules/windows/process_creation/win_susp_userinit_child.yml | 3 +++ .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 4 +++- 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml index 319eef8e..9b475340 100644 --- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -17,3 +17,6 @@ detection: falsepositives: - Some rare backup scenarios level: medium +tags: + - attack.impact + - attack.t1490 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml index e85f144e..7018898a 100644 --- a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml @@ -20,3 +20,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_screenconnect_access.yml b/rules/windows/process_creation/win_susp_screenconnect_access.yml index 0f6f6259..d146d9dc 100644 --- a/rules/windows/process_creation/win_susp_screenconnect_access.yml +++ b/rules/windows/process_creation/win_susp_screenconnect_access.yml @@ -21,3 +21,6 @@ detection: falsepositives: - Legitimate use by administrative staff level: high +tags: + - attack.initial_access + - attack.t1133 \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index 1b22804e..0c6693f1 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -24,3 +24,6 @@ fields: falsepositives: - Administrative scripts level: medium +tags: + - attack.defense_evasion + - attack.t1055 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 0cd426a5..a7842bbe 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -25,4 +25,6 @@ detection: falsepositives: - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" level: medium - +tags: + - attack.resource_development + - attack.t1588.002 From 5e87970c77ebf089b5ca96157bc6132694bda323 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:47:54 +0200 Subject: [PATCH 053/127] add powershell_store_file_in_alternate_data_stream.yml --- ...ll_store_file_in_alternate_data_stream.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml new file mode 100644 index 00000000..cfe46b78 --- /dev/null +++ b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml @@ -0,0 +1,28 @@ +title: Powershell Store File In Alternate Data Stream +id: a699b30e-d010-46c8-bbd1-ee2e26765fe9 +status: experimental +author: frack113 +date: 2021/09/02 +description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md +tags: + - attack.defense-evasion + - attack.t1564.004 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection_id: + EventID: 4104 + selection_compspec: + ScriptBlockText|contains|all: + - 'Start-Process' + - '-FilePath "$env:comspec" ' + - '-ArgumentList ' + - '>' + condition: selection_id and selection_compspec +falsepositives: + - Unknown +level: medium \ No newline at end of file From 25c6f69ea3edd8d7251e6a69664c7cc37471fb1a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:51:44 +0200 Subject: [PATCH 054/127] update references --- rules/windows/powershell/powershell_ntfs_ads_access.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 0d38b0d7..1c6f3018 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -4,6 +4,7 @@ status: experimental description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: - http://www.powertheshell.com/ntfsstreams/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md tags: - attack.defense_evasion - attack.t1564.004 From 6f1f70ca5e340b8884b0a020978a1bc79639acc1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 09:59:19 +0200 Subject: [PATCH 055/127] Add missing tags --- .../windows/process_creation/win_malware_conti_shadowcopy.yml | 3 +++ rules/windows/process_creation/win_malware_dtrack.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 3292bcba..9c07e2c0 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -23,3 +23,6 @@ detection: falsepositives: - Some rare backup scenarios level: medium +tags: + - attack.impact + - attack.t1490 \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index e5e429be..3d44a016 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -21,3 +21,6 @@ fields: falsepositives: - Unlikely level: critical +tags: + - attack.impact + - attack.t1490 \ No newline at end of file From 90e673e5ac8b9049be8253b679b3b9a50e6d6d62 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 10:17:50 +0200 Subject: [PATCH 056/127] fix invalid tags --- .../powershell_store_file_in_alternate_data_stream.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml index cfe46b78..070ace3c 100644 --- a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml @@ -7,7 +7,7 @@ description: Storing files in Alternate Data Stream (ADS) similar to Astaroth ma references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md tags: - - attack.defense-evasion + - attack.defense_evasion - attack.t1564.004 logsource: product: windows From f4a5df67ae44492fce0da860f1d7ab4b434b6e8f Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 10:28:01 +0200 Subject: [PATCH 057/127] further narrowing down of the selection, therefore removing the filter --- .../win_bad_opsec_sacrificial_processes.yml | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 0b3481e0..2d85255b 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -24,24 +24,32 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\WerFault.exe' - - '\rundll32.exe' - - '\regsvcs.exe' - - '\regasm.exe' - - '\regsvr32.exe' CommandLine|endswith: - '\WerFault.exe' + selection2: + Image|endswith: - '\rundll32.exe' + CommandLine|endswith: + - '\rundll32.exe' + selection3: + Image|endswith: - '\regsvcs.exe' + CommandLine|endswith: + - '\regsvcs.exe' + selection4: + Image|endswith: - '\regasm.exe' + CommandLine|endswith: + - '\regasm.exe' + selection5: + Image|endswith: - '\regsvr32.exe' - filter1: - ParentImage|contains: - - '\AppData\Local\' - - '\Microsoft\Edge\' - condition: selection and not filter1 + CommandLine|endswith: + - '\regsvr32.exe' + condition: 1 of selection* fields: - ParentImage - ParentCommandLine From 5cb6eed52e27f5b3f082055ced15172ff79b43a8 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:09:03 +0200 Subject: [PATCH 058/127] fix: remove single value lists --- .../win_bad_opsec_sacrificial_processes.yml | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 2d85255b..f3f2deef 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -25,30 +25,20 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\WerFault.exe' - CommandLine|endswith: - - '\WerFault.exe' + Image|endswith: '\WerFault.exe' + CommandLine|endswith: '\WerFault.exe' selection2: - Image|endswith: - - '\rundll32.exe' - CommandLine|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '\rundll32.exe' selection3: - Image|endswith: - - '\regsvcs.exe' - CommandLine|endswith: - - '\regsvcs.exe' + Image|endswith: '\regsvcs.exe' + CommandLine|endswith: '\regsvcs.exe' selection4: - Image|endswith: - - '\regasm.exe' - CommandLine|endswith: - - '\regasm.exe' + Image|endswith: '\regasm.exe' + CommandLine|endswith: '\regasm.exe' selection5: - Image|endswith: - - '\regsvr32.exe' - CommandLine|endswith: - - '\regsvr32.exe' + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: '\regsvr32.exe' condition: 1 of selection* fields: - ParentImage From aaa568ff2d8190c4b0b755d337b36382750fa420 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Sep 2021 14:18:38 +0200 Subject: [PATCH 059/127] print covert by win_susp_print.yml --- .../process_creation_alternate_data_streams.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 7460de70..1723a3de 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -28,10 +28,6 @@ detection: CommandLine|contains|all: - 'makecab ' - '.cab' - selection_tools_print: - CommandLine|contains|all: - - 'print ' - - '/D:' selection_tools_reg: CommandLine|contains|all: - 'reg ' From 6a1b95d947bebbe84f4a9685d2ad9c0c52b028cc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Sep 2021 14:22:59 +0200 Subject: [PATCH 060/127] Findstr covert by win_susp_findstr.yml --- .../process_creation_alternate_data_streams.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rules/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/windows/process_creation/process_creation_alternate_data_streams.yml index 1723a3de..badd22c4 100644 --- a/rules/windows/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/windows/process_creation/process_creation_alternate_data_streams.yml @@ -19,11 +19,6 @@ detection: CommandLine|contains|all: - 'type ' - ' > ' - selection_tools_findstr: - CommandLine|contains|all: - - 'findstr ' - - ' /V ' - - ' /L ' selection_tools_makecab: CommandLine|contains|all: - 'makecab ' From 0b373ff1e984254cb2c81fe1e78a45830418d6e9 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:47:47 +0200 Subject: [PATCH 061/127] fix: remove 2nd selection due to FPs --- .../process_creation/win_uac_bypass_dismhost.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index 6647013e..413109d9 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -17,7 +17,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: ParentImage|contains|all: - 'C:\Users\' - '\AppData\Local\Temp\' @@ -25,13 +25,4 @@ detection: IntegrityLevel: - 'High' - 'System' - selection2: - Image|contains|all: - - 'C:\Users\' - - '\AppData\Local\Temp\' - - '\DismHost.exe' - IntegrityLevel: - - 'High' - - 'System' - ParentCommandLine: 'C:\Windows\system32\cleanmgr.exe /autoclean /d C:' - condition: 1 of selection* + condition: selection From 15e25f963520b1ca7cfa141d793fb71073e6bbcc Mon Sep 17 00:00:00 2001 From: klingerko Date: Thu, 2 Sep 2021 14:50:14 +0200 Subject: [PATCH 062/127] update modifed date --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index cd4c42d0..3a857bbc 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -6,7 +6,7 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 -modifed: 2021/08/26 +modifed: 2021/09/02 author: Florian Roth tags: - attack.defense_evasion From ab721c736cf5f098fbdc9a835df28dd6b85e36c4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Sep 2021 14:55:17 +0200 Subject: [PATCH 063/127] chore: move level/falsepositives to bottom --- .../file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml | 6 +++--- .../file_event/sysmon_uac_bypass_consent_comctl32.yml | 8 ++++---- .../file_event/sysmon_uac_bypass_dotnet_profiler.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml | 6 +++--- .../windows/file_event/sysmon_uac_bypass_msconfig_gui.yml | 6 +++--- .../file_event/sysmon_uac_bypass_ntfs_reparse_point.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_winsat.yml | 6 +++--- rules/windows/file_event/sysmon_uac_bypass_wmp.yml | 6 +++--- .../process_creation/win_hktl_uacme_uac_bypass.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_cleanmgr.yml | 6 +++--- .../process_creation/win_uac_bypass_consent_comctl32.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_dismhost.yml | 6 +++--- .../windows/process_creation/win_uac_bypass_ieinstal.yml | 6 +++--- .../process_creation/win_uac_bypass_msconfig_gui.yml | 6 +++--- .../win_uac_bypass_ntfs_reparse_point.yml | 6 +++--- rules/windows/process_creation/win_uac_bypass_winsat.yml | 6 +++--- rules/windows/process_creation/win_uac_bypass_wmp.yml | 6 +++--- .../registry_event/sysmon_uac_bypass_shell_open.yml | 6 +++--- rules/windows/registry_event/sysmon_uac_bypass_winsat.yml | 6 +++--- rules/windows/registry_event/sysmon_uac_bypass_wmp.yml | 6 +++--- 20 files changed, 61 insertions(+), 61 deletions(-) diff --git a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml index fca1e671..b5cec569 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: TargetFilename|contains: '\AppData\Local\Temp\' TargetFilename|endswith: '.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml index da6b278e..fd9c808f 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -20,4 +17,7 @@ detection: selection: TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@' TargetFilename|endswith: '\comctl32.dll' - condition: selection \ No newline at end of file + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml index 574a79b9..f2dd94cf 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml index 9ba625f0..826af0cb 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: TargetFilename|contains: '\AppData\Local\Temp\' TargetFilename|endswith: 'consent.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml index cc0d08e6..d896bdb0 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml index 4c8b8198..7494bc23 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -21,3 +18,6 @@ detection: TargetFilename|startswith: 'C:\Users\' TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml index 74017b15..07a32c8c 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -23,3 +20,6 @@ detection: - '\AppData\Local\Temp\system32\winsat.exe' - '\AppData\Local\Temp\system32\winmm.dll' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml index efb7a09c..1026649f 100644 --- a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml +++ b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: file_event product: windows @@ -24,3 +21,6 @@ detection: Image: 'C:\Windows\system32\DllHost.exe' TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml index 09ac275e..a491142c 100644 --- a/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/win_hktl_uacme_uac_bypass.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -22,3 +19,6 @@ detection: - Company: 'REvol Corp' - OriginalFileName: 'Akagi.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml index 3ed387b3..b2e34b5f 100644 --- a/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/win_uac_bypass_cleanmgr.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml index e690075d..201451ab 100644 --- a/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/win_uac_bypass_consent_comctl32.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/windows/process_creation/win_uac_bypass_dismhost.yml index 413109d9..64e8fe82 100644 --- a/rules/windows/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/win_uac_bypass_dismhost.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -26,3 +23,6 @@ detection: - 'High' - 'System' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml index 7c734ccf..2db105f4 100644 --- a/rules/windows/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/win_uac_bypass_ieinstal.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -25,3 +22,6 @@ detection: Image|contains: '\AppData\Local\Temp\' Image|endswith: 'consent.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml index a7d65fd2..96e43028 100644 --- a/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml index 4319cada..720da752 100644 --- a/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -34,3 +31,6 @@ detection: - '\dismhost.exe {' Image|endswith: '\DismHost.exe' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_winsat.yml b/rules/windows/process_creation/win_uac_bypass_winsat.yml index c9ec3b38..5350f745 100644 --- a/rules/windows/process_creation/win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/win_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -24,3 +21,6 @@ detection: ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_uac_bypass_wmp.yml b/rules/windows/process_creation/win_uac_bypass_wmp.yml index 25ab25c7..df9bfe07 100644 --- a/rules/windows/process_creation/win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/win_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: process_creation product: windows @@ -29,3 +26,6 @@ detection: - 'High' - 'System' condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 38c9c889..68481a95 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -21,3 +18,6 @@ detection: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml index 5d375369..43efa10c 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_winsat.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -23,3 +20,6 @@ detection: Details|startswith: 'c:\users\' Details|endswith: '\appdata\local\temp\system32\winsat.exe' condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml index ce2652e0..22f04a70 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_wmp.yml @@ -10,9 +10,6 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 -falsepositives: - - Unknown -level: high logsource: category: registry_event product: windows @@ -21,3 +18,6 @@ detection: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection +falsepositives: + - Unknown +level: high From 9bcefc6a937bb700e30cb410643436ce67ca751b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 16:05:05 +0200 Subject: [PATCH 064/127] move uuid from global --- rules/windows/powershell/powershell_suspicious_download.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 1548d8cb..4870c05b 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,6 +1,5 @@ action: global title: Suspicious PowerShell Download -id: 65531a81-a694-4e31-ae04-f8ba5bc33759 status: experimental description: Detects suspicious PowerShell download command tags: @@ -14,6 +13,7 @@ falsepositives: - PowerShell scripts that download content from the Internet level: medium --- +id: 65531a81-a694-4e31-ae04-f8ba5bc33759 logsource: product: windows service: powershell @@ -25,6 +25,7 @@ detection: - '.DownloadString(' condition: webclient and download --- +id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d logsource: product: windows service: powershell-classic From 7ccb773b20ee2494e62279f3484c7b08f5a1f889 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 2 Sep 2021 17:37:41 +0100 Subject: [PATCH 065/127] Update AWS Update Login Profile rule Update selection criteria for AWS Update Login Profile rule to check for mismatch between userIdentity.arn and requestParameters.userName. Closes SigmaHQ/sigma#1966. --- rules/cloud/aws/aws_update_login_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index 8ac3ea17..6815fe2f 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -15,7 +15,7 @@ detection: eventSource: iam.amazonaws.com eventName: UpdateLoginProfile filter: - userIdentity.arn|contains: responseElements.accessKey.userName + userIdentity.arn|contains: requestParameters.userName condition: selection_source and not filter fields: - userIdentity.arn From 78d3fa4795373ccf8613fb75f4650d46eeb8f014 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 2 Sep 2021 17:32:33 +0100 Subject: [PATCH 066/127] Update AWS STS AssumeRole Misuse rule Update selection criteria for AWS STS AssumeRole Misuse rule for any event by an AssumedRole userIdentity. Closes SigmaHQ/sigma#1963. --- rules/cloud/aws/aws_sts_assumerole_misuse.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/aws_sts_assumerole_misuse.yml index f7464612..6163a040 100644 --- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml @@ -12,8 +12,7 @@ logsource: service: cloudtrail detection: selection: - eventSource: sts.amazonaws.com - eventName: AssumeRole + userIdentity.type: AssumedRole userIdentity.sessionContext.sessionIssuer.type: Role condition: selection level: low From 086a15fc4504ccb527e7f4a28ec05955ba019408 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 20:07:03 +0200 Subject: [PATCH 067/127] Update global ID --- rules/compliance/cleartext_protocols.yml | 3 +- ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 3 +- rules/linux/lnx_network_service_scanning.yml | 3 +- rules/linux/lnx_security_tools_disabling.yml | 3 +- rules/linux/lnx_sudo_cve_2019_14287.yml | 3 +- rules/linux/lnx_system_info_discovery.yml | 3 +- rules/network/net_high_dns_bytes_out.yml | 3 +- rules/network/net_high_dns_requests_rate.yml | 3 +- rules/network/net_susp_network_scan.yml | 3 +- rules/windows/builtin/win_apt_apt29_tor.yml | 1 + .../win_cobaltstrike_service_installs.yml | 3 +- .../win_invoke_obfuscation_clip+_services.yml | 4 ++- ...ke_obfuscation_obfuscated_iex_services.yml | 4 ++- ...win_invoke_obfuscation_stdin+_services.yml | 4 ++- .../sysmon_wmiprvse_wbemcomn_dll_hijack.yml | 3 +- tools/sigma/sigma_uuid.py | 30 ++++++++++++++++--- 16 files changed, 58 insertions(+), 18 deletions(-) diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index 40905d70..e50e0ea2 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -1,6 +1,5 @@ action: global title: Cleartext Protocol Usage -id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f status: stable description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. @@ -57,6 +56,7 @@ level: low # - PCI DSS 3.2 7.2 # - PCI DSS 3.2 7.3 --- +id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f logsource: product: netflow detection: @@ -80,6 +80,7 @@ detection: - 5904 condition: selection --- +id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e logsource: category: firewall detection: diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index da9e53df..737df5c2 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -1,6 +1,5 @@ action: global title: CVE-2021-3156 Exploitation Attempt -id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f status: experimental description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | @@ -21,6 +20,7 @@ logsource: product: linux service: auditd --- +id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f detection: selection: type: 'EXECVE' @@ -43,6 +43,7 @@ detection: a4: '\' condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 --- +id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 detection: selection: type: 'SYSCALL' diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index 831c1dac..ce6d798d 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -1,6 +1,5 @@ action: global title: Linux Network Service Scanning -id: 3e102cd9-a70d-4a7a-9508-403963092f31 status: experimental description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community @@ -14,6 +13,7 @@ tags: - attack.discovery - attack.t1046 --- +id: 3e102cd9-a70d-4a7a-9508-403963092f31 logsource: category: process_creation product: linux @@ -31,6 +31,7 @@ detection: CommandLine|contains: 'l' condition: (netcat and not netcat_listen_flag) or network_scanning_tools --- +id: 3761e026-f259-44e6-8826-719ed8079408 logsource: product: linux service: auditd diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 2fee4c8e..a51eade7 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,6 +1,5 @@ action: global title: Disabling Security Tools -id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools author: Ömer Günal, Alejandro Ortuno, oscd.community @@ -15,6 +14,7 @@ tags: - attack.t1562.004 - attack.t1089 # an old one --- +id: e3a8a052-111f-4606-9aee-f28ebeb76776 logsource: category: process_creation product: linux @@ -84,6 +84,7 @@ detection: - 'falcon-sensor' condition: 1 of them --- +id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 logsource: product: linux service: syslog diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index 84ab95b7..426f5934 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -1,6 +1,5 @@ action: global title: Sudo Privilege Escalation CVE-2019-14287 -id: f74107df-b6c6-4e80-bf00-4170b658162b status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 author: Florian Roth @@ -21,11 +20,13 @@ tags: - attack.t1169 # an old one - attack.t1548.003 --- +id: f74107df-b6c6-4e80-bf00-4170b658162b detection: selection_keywords: - '* -u#*' condition: selection_keywords --- +id: 7fcc54cb-f27d-4684-84b7-436af096f858 detection: selection_user: USER: diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 892f10d7..f8b68956 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -1,6 +1,5 @@ action: global title: System Information Discovery -id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable description: Detects system information discovery commands author: Ömer Günal, oscd.community @@ -15,6 +14,7 @@ tags: - attack.discovery - attack.t1082 --- +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 logsource: product: linux category: process_creation @@ -30,6 +30,7 @@ detection: - '/lsmod' condition: selection --- +id: 1f358e2e-cb63-43c3-b575-dfb072a6814f logsource: product: linux service: auditd diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml index 630a8a71..babf0d21 100644 --- a/rules/network/net_high_dns_bytes_out.yml +++ b/rules/network/net_high_dns_bytes_out.yml @@ -1,6 +1,5 @@ action: global title: High DNS Bytes Out -id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd status: experimental description: High DNS queries bytes amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community @@ -14,6 +13,7 @@ tags: - attack.t1048 # an old one - attack.t1048.003 --- +id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd logsource: category: dns detection: @@ -22,6 +22,7 @@ detection: timeframe: 1m condition: selection | sum(question_length) by src_ip > 300000 --- +id: 3b6e327d-8649-4102-993f-d25786481589 logsource: category: firewall detection: diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml index 1e1d8f11..c870aacf 100644 --- a/rules/network/net_high_dns_requests_rate.yml +++ b/rules/network/net_high_dns_requests_rate.yml @@ -1,6 +1,5 @@ action: global title: High DNS Requests Rate -id: b4163085-4001-46a3-a79a-55d8bbbc7a3a status: experimental description: High DNS requests amount from host per short period of time author: Daniil Yugoslavskiy, oscd.community @@ -17,6 +16,7 @@ tags: - attack.t1071 # an old one - attack.t1071.004 --- +id: b4163085-4001-46a3-a79a-55d8bbbc7a3a logsource: category: dns detection: @@ -25,6 +25,7 @@ detection: timeframe: 1m condition: selection | count() by src_ip > 1000 --- +id: 51186749-7415-46be-90e5-6914865c825a logsource: category: firewall detection: diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index ae8770e6..a4032fda 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,6 +1,5 @@ action: global title: Network Scans -id: fab0ddf0-b8a9-4d70-91ce-a20547209afb status: experimental description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke @@ -21,12 +20,14 @@ tags: - attack.discovery - attack.t1046 --- +id: fab0ddf0-b8a9-4d70-91ce-a20547209afb detection: selection: action: denied timeframe: 24h condition: selection | count(dst_port) by src_ip > 10 --- +id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 detection: selection: action: denied diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index efd86f6e..8e4e79c8 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -26,6 +26,7 @@ falsepositives: - Unknown level: high --- +id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 logsource: category: process_creation product: windows diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 9f81e307..ca2308ab 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,6 +1,5 @@ action: global title: CobaltStrike Service Installations -id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement author: Florian Roth, Wojciech Lesicki references: @@ -34,6 +33,7 @@ falsepositives: - Unknown level: critical --- +id: 5a105d34-05fc-401e-8553-272b45c1522d logsource: product: windows service: system @@ -41,6 +41,7 @@ detection: selection_id: EventID: 7045 --- +id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 0b502851..6ba0e08f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation CLIP+ Launcher -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection and selection_eventid --- +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index b76bdade..aa3cec10 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Obfuscated IEX Invocation -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -22,6 +21,7 @@ detection: - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 --- +id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 logsource: product: windows service: system @@ -29,6 +29,7 @@ detection: selection: EventID: 7045 --- +id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 logsource: product: windows category: driver_load @@ -36,6 +37,7 @@ detection: selection: EventID: 6 --- +id: fd0f5778-d3cb-4c9a-9695-66759d04702a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 1345ea6c..0bebb79d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation STDIN+ Launcher -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection and selection_eventid --- +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 logsource: product: windows service: security diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml index b8064b87..8b47fd5a 100644 --- a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,6 +1,5 @@ action: global title: Wmiprvse Wbemcomn DLL Hijack -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. status: experimental date: 2020/10/12 @@ -17,6 +16,7 @@ falsepositives: - Unknown level: critical --- +id: 614a7e17-5643-4d89-b6fe-f9df1a79641c logsource: product: windows category: file_event @@ -26,6 +26,7 @@ detection: TargetFilename|endswith: '\wbem\wbemcomn.dll' condition: selection --- +id: 7707a579-e0d8-4886-a853-ce47e4575aaa logsource: product: windows category: image_load diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index 9ec32b71..8875004b 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -7,6 +7,7 @@ from uuid import uuid4, UUID import yaml from sigma.output import SigmaYAMLDumper + def print_verbose(*arg, **kwarg): print(*arg, **kwarg) @@ -14,6 +15,17 @@ def print_verbose(*arg, **kwarg): def yaml_preserve_order(self, dict_data): return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) +def valid_rule(rule,i,path): + try: + UUID(rule["id"]) + except ValueError: # id is not a valid UUID + print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) + return False + except KeyError: # rule has no id + print("Rule {} in file {} has no UUID.".format(i, str(path))) + return False + return True + def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -37,22 +49,32 @@ def main(): passed = True for path in paths: print_verbose("Rule {}".format(str(path))) - with path.open("r") as f: + with path.open("r",encoding="UTF-8") as f: rules = list(yaml.safe_load_all(f)) - + + nb_rule = len(rules) if args.verify: - i = 1 + if nb_rule == 1: + if not valid_rule(rules[0],1,path): passed = False + else: + if rules[0]["action"] == "global": + for i in range(1,nb_rule): + if not valid_rule(rules[i],i,path): passed = False + ''' for rule in rules: + if "title" in rule: # Rule with a title should also have a UUID try: UUID(rule["id"]) except ValueError: # id is not a valid UUID print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) passed = False + exit() except KeyError: # rule has no id print("Rule {} in file {} has no UUID.".format(i, str(path))) passed = False - i += 1 + exit() + ''' else: newrules = list() changed = False From ac90ee0002895133550503ab1baa8b5a5498ac79 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 20:23:23 +0200 Subject: [PATCH 068/127] Update global ID --- .../win_invoke_obfuscation_var+_services.yml | 4 +++- ...invoke_obfuscation_via_compress_services.yml | 4 +++- ...n_invoke_obfuscation_via_rundll_services.yml | 4 +++- ...in_invoke_obfuscation_via_stdin_services.yml | 4 +++- ...invoke_obfuscation_via_use_clip_services.yml | 4 +++- ...nvoke_obfuscation_via_use_mshta_services.yml | 4 +++- ...ke_obfuscation_via_use_rundll32_services.yml | 4 +++- ...in_invoke_obfuscation_via_var++_services.yml | 4 +++- rules/windows/builtin/win_mal_creddumper.yml | 5 +++-- .../builtin/win_mal_service_installs.yml | 3 ++- ...t_or_impacket_smb_psexec_service_install.yml | 17 +++++++++-------- ...altstrike_getsystem_service_installation.yml | 4 +++- rules/windows/builtin/win_moriya_rootkit.yml | 3 ++- 13 files changed, 43 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 366fea97..939ff725 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation VAR+ Launcher -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: all of them --- +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 logsource: product: windows service: system @@ -28,10 +28,12 @@ detection: selection_eventid: EventID: 7045 --- +id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc logsource: product: windows category: process_creation --- +id: dcf2db1f-f091-425b-a821-c05875b8925a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 2ec58024..1b1b490f 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation COMPRESS OBFUSCATION -id: 175997c5-803c-4b08-8bb0-70b099f47595 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection and selection_eventid --- +id: 175997c5-803c-4b08-8bb0-70b099f47595 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: c70731dd-0097-40ff-b112-f7032f29c16c logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index e6925517..11317dda 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation RUNDLL LAUNCHER -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection and selection_eventid --- +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 01baa20f..4cc9ee79 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Stdin -id: 487c7524-f892-4054-b263-8a0ace63fc25 description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection and selection_eventid --- +id: 487c7524-f892-4054-b263-8a0ace63fc25 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 82b66143-53ee-4369-ab02-de2c70cd6352 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 701415bd..45b5d47b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use Clip -id: 63e3365d-4824-42d8-8b82-e56810fefa0c description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection and selection_eventid --- +id: 63e3365d-4824-42d8-8b82-e56810fefa0c logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index ccdb7759..decfefb6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use MSHTA -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection and selection_eventid --- +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: a4e82ad2-7430-4ee8-b858-6ad6099773fa logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 4c2297a6..a095343e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation Via Use Rundll32 -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection and selection_eventid --- +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a logsource: product: windows service: security diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index e042bb14..af6859b6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -1,6 +1,5 @@ action: global title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community @@ -21,6 +20,7 @@ detection: ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection and selection_eventid --- +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: selection_eventid: EventID: 7045 --- +id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d logsource: product: windows category: driver_load @@ -35,6 +36,7 @@ detection: selection_eventid: EventID: 6 --- +id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 6a71474a..76cc287b 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,9 +1,7 @@ ---- action: global title: Credential Dumping Tools Service Execution description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed date: 2017/03/05 modified: 2021/03/18 references: @@ -44,6 +42,7 @@ falsepositives: - Legitimate Administrator using credential dumping tool for password recovery level: high --- +id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed logsource: product: windows service: system @@ -51,10 +50,12 @@ detection: selection: EventID: 7045 --- +id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 logsource: product: windows category: driver_load --- +id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index cf70185f..e5fcbbab 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,6 +1,5 @@ action: global title: Malicious Service Installations -id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 @@ -24,6 +23,7 @@ falsepositives: - Penetration testing level: critical --- +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a logsource: product: windows service: system @@ -39,6 +39,7 @@ detection: malsvc_apt29: ServiceName: 'Java(TM) Virtual Machine Support Service' --- +id: cb062102-587e-4414-8efa-dbe3c7bf19c6 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml index 888c3dc9..6b61aec6 100644 --- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,10 +1,9 @@ +action: global title: Metasploit Or Impacket Service Installation Via SMB PsExec -id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 modified: 2021/07/23 -action: global references: - https://bczyz1.github.io/2021/01/30/psexec.html tags: @@ -32,6 +31,7 @@ falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name level: high --- +id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 logsource: product: windows service: system @@ -39,10 +39,11 @@ detection: selection: EventID: 7045 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 7e118373..0bd04b69 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,6 +1,5 @@ action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation -id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 @@ -48,6 +47,7 @@ falsepositives: - Highly unlikely level: critical --- +id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 logsource: product: windows service: system @@ -55,10 +55,12 @@ detection: selection: EventID: 7045 --- +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 logsource: product: windows category: driver_load --- +id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 70636d9f..276d88f6 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,6 +1,5 @@ action: global title: Moriya Rootkit -id: 25b9c01c-350d-4b95-bed1-836d04a4f324 description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report status: experimental author: Bhabesh Raj @@ -16,6 +15,7 @@ tags: - attack.privilege_escalation - attack.t1543.003 --- +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 logsource: product: windows service: system @@ -25,6 +25,7 @@ detection: ServiceName: ZzNetSvc condition: selection --- +id: a1507d71-0b60-44f6-b17c-bf53220fdd88 logsource: product: windows category: file_event From f90c7558a78d0766cf5686595609f45e2e071c09 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 21:03:25 +0200 Subject: [PATCH 069/127] update global id --- .../builtin/win_powershell_script_installed_as_service.yml | 4 +++- rules/windows/builtin/win_software_discovery.yml | 3 ++- .../network_connection/sysmon_regsvr32_network_activity.yml | 3 ++- rules/windows/other/win_defender_disabled.yml | 6 ++++-- rules/windows/other/win_tool_psexec.yml | 5 ++++- rules/windows/other/win_wmi_persistence.yml | 3 ++- .../sysmon_abusing_windows_telemetry_for_persistence.yml | 3 ++- rules/windows/sysmon/sysmon_pingback_backdoor.yml | 4 +++- 8 files changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 01652c7c..6ebf00e9 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -1,6 +1,5 @@ action: global title: PowerShell Scripts Installed as Services -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova @@ -21,6 +20,7 @@ falsepositives: - Unknown level: high --- +id: a2e5019d-a658-4c6a-92bf-7197b54e2cae logsource: product: windows service: system @@ -28,6 +28,7 @@ detection: service_creation: EventID: 7045 --- +id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 logsource: product: windows service: sysmon @@ -35,6 +36,7 @@ detection: service_creation: EventID: 6 --- +id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml index b68643c6..39148779 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/builtin/win_software_discovery.yml @@ -1,6 +1,5 @@ action: global title: Detected Windows Software Discovery -id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. status: experimental author: Nikita Nazarov, oscd.community @@ -17,6 +16,7 @@ falsepositives: detection: condition: 1 of them --- +id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 logsource: product: windows service: powershell @@ -30,6 +30,7 @@ detection: - 'select-object' - 'format-table' --- +id: e13f668e-7f95-443d-98d2-1816a7648a7b logsource: category: process_creation product: windows diff --git a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml index 7cc461ad..fd57839c 100644 --- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -1,6 +1,5 @@ action: global title: Regsvr32 Network Activity -id: c7e91a02-d771-4a6d-a700-42587e0b1095 description: Detects network connections and DNS queries initiated by Regsvr32.exe references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ @@ -31,10 +30,12 @@ falsepositives: - unknown level: high --- +id: c7e91a02-d771-4a6d-a700-42587e0b1095 logsource: category: network_connection product: windows --- +id: 36e037c4-c228-4866-b6a3-48eb292b9955 logsource: category: dns_query product: windows diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 0c3281a6..4c7ec817 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -1,6 +1,5 @@ action: global title: Windows Defender Threat Detection Disabled -id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 modified: 2021/07/05 @@ -16,7 +15,8 @@ tags: falsepositives: - Administrator actions level: high ---- +--- +id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 logsource: product: windows service: windefend @@ -35,6 +35,7 @@ detection: Details: 'DWORD (0x00000001)' condition: 1 of them --- +id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 logsource: product: windows category: registry_event @@ -45,6 +46,7 @@ detection: Details: 'DWORD (0x00000001)' condition: tamper_registry --- +id: 6c0a7755-6d31-44fa-80e1-133e57752680 logsource: product: windows category: system diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 250429d1..60f46fc5 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -1,6 +1,5 @@ action: global title: PsExec Tool Execution -id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke @@ -28,6 +27,7 @@ falsepositives: - unknown level: low --- +id: 42c575ea-e41e-41f1-b248-8093c3e82a28 logsource: product: windows service: system @@ -40,6 +40,7 @@ detection: EventID: 7036 ServiceName: 'PSEXESVC' --- +id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba logsource: category: process_creation product: windows @@ -50,6 +51,7 @@ detection: - 'NT AUTHORITY\SYSTEM' - 'AUTORITE NT\Sys' # French language settings --- +id: f3f3a972-f982-40ad-b63c-bca6afdfad7c logsource: category: pipe_created product: windows @@ -57,6 +59,7 @@ detection: sysmon_pipecreated: PipeName: '\PSEXESVC' --- +id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d logsource: category: file_event product: windows diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 6a0d02d7..38819f13 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,6 +1,5 @@ action: global title: WMI Persistence -id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community @@ -18,6 +17,7 @@ falsepositives: - Unknown (data set is too small; further testing needed) level: medium --- +id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b logsource: product: windows service: wmi #native windows detection @@ -34,6 +34,7 @@ detection: EventID: 5859 condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) --- +id: f033f3f3-fd24-4995-97d8-a3bb17550a88 logsource: product: windows service: security diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml index 58ac60c3..48ba2bf0 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -1,6 +1,5 @@ action: global title: Abusing Windows Telemetry For Persistence -id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 status: experimental description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. references: @@ -22,6 +21,7 @@ falsepositives: - none level: high --- +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 logsource: product: windows category: registry_event @@ -32,6 +32,7 @@ detection: Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' condition: selection --- +id: f548a603-c9f2-4c89-b511-b089f7e94549 logsource: product: windows category: process_creation diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml index 085c739e..a800c432 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -1,6 +1,5 @@ action: global title: Pingback Backdoor -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj @@ -15,6 +14,7 @@ tags: - attack.persistence - attack.t1574.001 --- +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 logsource: product: windows category: file_event @@ -24,6 +24,7 @@ detection: TargetFilename: 'C:\Windows\oci.dll' condition: selection --- +id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b logsource: product: windows category: image_load @@ -33,6 +34,7 @@ detection: ImageLoaded: 'C:\Windows\oci.dll' condition: selection --- +id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 logsource: product: windows category: process_creation From d02ee1eddd3d96937c7ccae8c533618f9f7ecb53 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 2 Sep 2021 21:16:55 +0200 Subject: [PATCH 070/127] Update global ID --- rules/windows/builtin/win_powershell_web_request.yml | 3 ++- .../builtin/win_susp_athremotefxvgpudisablementcommand.yml | 4 +++- rules/windows/builtin/win_tap_driver_installation.yml | 4 +++- rules/windows/malware/win_mal_blue_mockingbird.yml | 4 +++- .../powershell/powershell_alternate_powershell_hosts.yml | 3 ++- rules/windows/powershell/powershell_powercat.yml | 3 ++- .../powershell/powershell_remote_powershell_session.yml | 3 ++- .../registry_event/sysmon_dns_serverlevelplugindll.yml | 3 ++- .../windows/registry_event/sysmon_stickykey_like_backdoor.yml | 3 ++- .../registry_event/sysmon_sysinternals_eula_accepted.yml | 3 ++- rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 3 ++- rules/windows/sysmon/sysmon_config_modification.yml | 3 ++- .../sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml | 3 ++- 13 files changed, 29 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_powershell_web_request.yml b/rules/windows/builtin/win_powershell_web_request.yml index 54319f96..427d7ea9 100644 --- a/rules/windows/builtin/win_powershell_web_request.yml +++ b/rules/windows/builtin/win_powershell_web_request.yml @@ -1,6 +1,5 @@ action: global title: Windows PowerShell Web Request -id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d status: experimental description: Detects the use of various web request methods (including aliases) via Windows PowerShell command references: @@ -19,6 +18,7 @@ falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. level: medium --- +id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: - 'Net.WebClient' - 'Start-BitsTransfer' --- +id: 1139d2e2-84b1-4226-b445-354492eba8ba logsource: product: windows service: powershell diff --git a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml index e4d35a7b..6fdd897e 100644 --- a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml @@ -1,6 +1,5 @@ action: global title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand -id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 status: experimental author: frack113 date: 2021/07/13 @@ -20,6 +19,7 @@ falsepositives: - Unknown level: medium --- +id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 logsource: product: windows category: process_creation @@ -34,6 +34,7 @@ detection: - '-RemoteFXvGPUDisablementFilePath' condition: selection_cmd and selection_opt --- +id: f65e22f9-819e-4f96-9c7b-498364ae7a25 logsource: product: windows service: powershell-classic @@ -49,6 +50,7 @@ detection: - '-RemoteFXvGPUDisablementFilePath' condition: selection_cmd and selection_opt --- +id: 38a7625e-b2cb-485d-b83d-aff137d859f4 logsource: product: windows service: powershell diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index a5baba35..cc3ce6e7 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -1,6 +1,5 @@ action: global title: Tap Driver Installation -id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques status: experimental author: Daniil Yugoslavskiy, Ian Davis, oscd.community @@ -16,6 +15,7 @@ detection: ImagePath|contains: 'tap0901' condition: selection --- +id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 logsource: product: windows service: system @@ -23,10 +23,12 @@ detection: selection: EventID: 7045 --- +id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb logsource: product: windows category: driver_load --- +id: 9c8afa4d-0022-48f0-9456-3712466f9701 logsource: product: windows service: security diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index 0752d958..096c0c44 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -1,6 +1,5 @@ action: global title: Blue Mockingbird -id: c3198a27-23a0-4c2c-af19-e5328d49680e status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: @@ -17,6 +16,7 @@ level: high detection: condition: 1 of them --- +id: c3198a27-23a0-4c2c-af19-e5328d49680e logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - 'sc config' - 'wercplsupporte.dll' --- +id: ce239692-aa94-41b3-b32f-9cab259c96ea logsource: category: process_creation product: windows @@ -35,6 +36,7 @@ detection: Image|endswith: '\wmic.exe' CommandLine|endswith: 'COR_PROFILER' --- +id: 92b0b372-a939-44ed-a11b-5136cf680e27 logsource: product: windows category: registry_event diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 5078913e..58cad683 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,6 +1,5 @@ action: global title: Alternate PowerShell Hosts -id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 @@ -18,6 +17,7 @@ falsepositives: - Citrix ConfigSync.ps1 level: medium --- +id: 64e8e417-c19a-475a-8d19-98ea705394cc logsource: product: windows service: powershell @@ -30,6 +30,7 @@ detection: ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event condition: selection and not filter --- +id: d7326048-328b-4d5e-98af-86e84b17c765 logsource: product: windows service: powershell-classic diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_powercat.yml index c4c5cb0c..bf10582d 100644 --- a/rules/windows/powershell/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_powercat.yml @@ -1,6 +1,5 @@ action: global title: Netcat The Powershell Version -id: c5b20776-639a-49bf-94c7-84f912b91c15 status: experimental author: frack113 date: 2021/07/21 @@ -16,6 +15,7 @@ falsepositives: - Unknown level: medium --- +id: c5b20776-639a-49bf-94c7-84f912b91c15 logsource: product: windows service: powershell-classic @@ -28,6 +28,7 @@ detection: - 'powercat.ps1' condition: selection --- +id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 652741eb..429a623b 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,6 +1,5 @@ action: global title: Remote PowerShell Session -id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: test date: 2019/08/10 @@ -19,6 +18,7 @@ falsepositives: - Legitimate use remote PowerShell sessions level: high --- +id: 96b9f619-aa91-478f-bacb-c3e50f8df575 logsource: product: windows service: powershell @@ -31,6 +31,7 @@ detection: - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = condition: selection --- +id: 60167e5c-84b2-4c95-a7ac-86281f27c445 logsource: product: windows service: powershell-classic diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index fd7d5d2c..a40600b8 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -1,6 +1,5 @@ action: global title: DNS ServerLevelPluginDll Install -id: e61e8a88-59a9-451c-874e-70fcc9740d67 status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) @@ -25,6 +24,7 @@ falsepositives: - unknown level: high --- +id: e61e8a88-59a9-451c-874e-70fcc9740d67 logsource: product: windows category: registry_event @@ -33,6 +33,7 @@ detection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: 1 of them --- +id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 7f23a329..eeaeb2cf 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -1,6 +1,5 @@ action: global title: Sticky Key Like Backdoor Usage -id: baca5663-583c-45f9-b5dc-ea96a22ce542 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: @@ -19,6 +18,7 @@ falsepositives: - Unlikely level: critical --- +id: baca5663-583c-45f9-b5dc-ea96a22ce542 logsource: category: registry_event product: windows @@ -33,6 +33,7 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' condition: 1 of them --- +id: 2fdefcb3-dbda-401e-ae23-f0db027628bc logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 717e6b93..b4d8825b 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -1,6 +1,5 @@ action: global title: Usage of Sysinternals Tools -id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry references: @@ -12,6 +11,7 @@ falsepositives: - Programs that use the same Registry Key level: low --- +id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 logsource: product: windows category: registry_event @@ -20,6 +20,7 @@ detection: TargetObject|endswith: '\EulaAccepted' condition: 1 of them --- +id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b logsource: category: process_creation product: windows diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 065779e1..ed8f6054 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -1,6 +1,5 @@ action: global title: UAC Bypass via Event Viewer -id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 status: experimental description: Detects UAC bypass method using Windows event viewer references: @@ -19,6 +18,7 @@ falsepositives: - unknown level: critical --- +id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 logsource: product: windows category: registry_event @@ -28,6 +28,7 @@ detection: TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry --- +id: be344333-921d-4c4d-8bb8-e584cf584780 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 38367005..6ca045a7 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,6 +1,5 @@ action: global title: Sysmon Configuration Modification -id: 1f2b5353-573f-4880-8e33-7d04dcf97744 description: Someone try to hide from Sysmon status: experimental author: frack113 @@ -16,6 +15,7 @@ falsepositives: - legitimate administrative action level: high --- +id: 1f2b5353-573f-4880-8e33-7d04dcf97744 logsource: product: windows category: sysmon_status @@ -26,6 +26,7 @@ detection: - 'Sysmon config state changed' condition: selection_stop or selection_conf --- +id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 logsource: product: windows category: sysmon_error diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index eea60e94..76de527b 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,6 +1,5 @@ action: global title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S @@ -20,6 +19,7 @@ falsepositives: - Unlikely level: critical --- +id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef logsource: product: windows category: file_event @@ -38,6 +38,7 @@ detection: - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini' condition: selection --- +id: 32b5db62-cb5f-4266-9639-0fa48376ac00 logsource: product: windows category: registry_event From 1272c76ae7774430412a4adb7dbacbf1779ff92c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:31:27 -0500 Subject: [PATCH 071/127] Create azure_network_firewall_policy_modified_or_deleted.yml --- ...rk_firewall_policy_modified_or_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml new file mode 100644 index 00000000..b087d550 --- /dev/null +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Network Firewall Policy Modified or Deleted +id: 83c17918-746e-4bd9-920b-8e098bf88c23 +description: Identifies when a Firewall Policy is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From d25fd420d60b07c7a94d41979a54237eb825a697 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:48:35 -0500 Subject: [PATCH 072/127] Create azure_service_principal_created.yml --- .../azure/azure_service_principal_created.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_service_principal_created.yml diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml new file mode 100644 index 00000000..6eabb075 --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Created +id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 +description: Identifies when a service principal is created in Azure. +author: Austin Songer +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Add service principal" + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 10af7bbdb1e10d08b786498d33ba2194113c5adc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 20:53:32 -0500 Subject: [PATCH 073/127] Create azure_app_credential_modification.yml --- .../azure_app_credential_modification.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_app_credential_modification.yml diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml new file mode 100644 index 00000000..dec50c51 --- /dev/null +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -0,0 +1,21 @@ +title: Azure Application Credential Modified +id: cdeef967-f9a1-4375-90ee-6978c5f23974 +description: Identifies when a application credential is modified. +author: Austin Songer +status: experimental +date: 2021/09/02 +references: + - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Update application - Certificates and secrets management" + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 643ec0abe3ced1facc09d7d5838ac758802386aa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 21:00:02 -0500 Subject: [PATCH 074/127] Update azure_service_principal_created.yml --- rules/cloud/azure/azure_service_principal_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 6eabb075..82e422ca 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -1,7 +1,7 @@ title: Azure Service Principal Created id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 description: Identifies when a service principal is created in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/02 references: From 775c0e8e7f19b2248d22e3497055dc639d08b5eb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 2 Sep 2021 21:00:21 -0500 Subject: [PATCH 075/127] Update azure_app_credential_modification.yml --- rules/cloud/azure/azure_app_credential_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index dec50c51..1a95a62c 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -1,7 +1,7 @@ title: Azure Application Credential Modified id: cdeef967-f9a1-4375-90ee-6978c5f23974 description: Identifies when a application credential is modified. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/02 references: From ba41e922d29e38990ffc43a2a85ed875dda21bb0 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Fri, 3 Sep 2021 00:12:49 -0400 Subject: [PATCH 076/127] adding Petitpotam host detections --- .../builtin/win_petitpotam_network_share.yml | 25 ++++++++++++++ .../win_petitpotam_susp_tgt_request.yml | 34 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 rules/windows/builtin/win_petitpotam_network_share.yml create mode 100644 rules/windows/builtin/win_petitpotam_susp_tgt_request.yml diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml new file mode 100644 index 00000000..15ee76da --- /dev/null +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -0,0 +1,25 @@ +title: Possible PetitPotam Coerce Authentication Attempt +id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 +description: Detect PetitPotam coerced authentication activity. +author: Mauricio Velazco, Michael Haag +date: 2021/09/02 +references: + - https://github.com/topotam/PetitPotam + - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml +tags: + - attack.credential_access + - attack.t1187 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure' +detection: + selection: + EventID: 5145 + Share_Name: \\*\IPC$ + Relative_Target_Name: lsarpc + Account_Name: ANONYMOUS LOGON + condition: selection +falsepositives: + - Unknown. Feedback welcomed. +level: high diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml new file mode 100644 index 00000000..da7fdf9e --- /dev/null +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -0,0 +1,34 @@ +title: PetitPotam Suspicious Kerberos TGT Request +id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 +description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer + certificate by abusing Active Directory Certificate Services in combination with + PetitPotam, the next step would be to leverage the certificate for malicious purposes. + One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool + like Rubeus. This request will generate a 4768 event with some unusual fields depending + on the environment. This analytic will require tuning, we recommend filtering Account_Name + to the Domain Controller computer accounts. +author: Mauricio Velazco, Michael Haag +date: 2021/09/02 +references: + - https://github.com/topotam/PetitPotam + - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ + - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +tags: + - attack.credential_access + - attack.t1187 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure' +detection: + selection: + EventID: 4768 + Account_Name|endswith: '$' + Certificate_Thumbprint: '*' + filter_local: + Client_Address: '::1' + + condition: selection and not filter_local +falsepositives: + - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. +level: high From a6bb5574fb01fd768691599526f81e0aba1bffed Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:35:35 +0200 Subject: [PATCH 077/127] Update global id --- rules/windows/builtin/win_net_ntlm_downgrade.yml | 3 ++- rules/windows/builtin/win_root_certificate_installed.yml | 3 ++- rules/windows/builtin/win_susp_eventlog_cleared.yml | 3 ++- .../windows/builtin/win_susp_failed_logons_single_source.yml | 3 ++- rules/windows/builtin/win_susp_zip_compress.yml | 4 +++- rules/windows/file_event/sysmon_hack_dumpert.yml | 3 ++- rules/windows/image_load/sysmon_tttracer_mod_load.yml | 3 ++- rules/windows/process_creation/win_advanced_ip_scanner.yml | 3 ++- rules/windows/process_creation/win_apt_turla_commands.yml | 3 ++- rules/windows/process_creation/win_apt_wocao.yml | 3 ++- .../windows/process_creation/win_exchange_transportagent.yml | 3 ++- rules/windows/process_creation/win_hktl_createminidump.yml | 3 ++- rules/windows/process_creation/win_mal_adwind.yml | 4 +++- .../windows/process_creation/win_silenttrinity_stage_use.yml | 3 ++- rules/windows/registry_event/sysmon_apt_pandemic.yml | 3 ++- 15 files changed, 32 insertions(+), 15 deletions(-) diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 4269933d..062e6aa5 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -1,6 +1,5 @@ action: global title: NetNTLM Downgrade Attack -id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks @@ -18,6 +17,7 @@ falsepositives: - Unknown level: critical --- +id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 logsource: product: windows category: registry_event @@ -34,6 +34,7 @@ detection: --- # Windows Security Eventlog: Process Creation with Full Command Line +id: d3abac66-f11c-4ed0-8acb-50cc29c97eed logsource: product: windows service: security diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index d0f67207..f670b8f4 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -1,6 +1,5 @@ action: global title: Root Certificate Installed -id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: @@ -16,6 +15,7 @@ falsepositives: detection: condition: 1 of them --- +id: 42821614-9264-4761-acfc-5772c3286f76 logsource: product: windows service: powershell @@ -31,6 +31,7 @@ detection: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' --- +id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc logsource: category: process_creation product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index e1e90819..ecd5b252 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,5 @@ action: global title: Eventlog Cleared -id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 type: obsoletes @@ -21,6 +20,7 @@ falsepositives: - System provisioning (system reset before the golden image creation) level: high --- +id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 logsource: product: windows service: security @@ -31,6 +31,7 @@ detection: - 1102 condition: selection --- +id: a62b37e0-45d3-48d9-a517-90c1a1b0186b logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index cf0ce27f..b4ad3b78 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,6 +1,5 @@ action: global title: Failed Logins with Different Accounts from Single Source System -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/01/10 @@ -19,6 +18,7 @@ falsepositives: - Workstations with frequently changing users level: medium --- +id: e98374a6-e2d9-4076-9b5c-11bdb2569995 detection: selection1: EventID: @@ -28,6 +28,7 @@ detection: WorkstationName: '*' condition: selection1 | count(TargetUserName) by WorkstationName > 3 --- +id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 detection: selection2: EventID: 4776 diff --git a/rules/windows/builtin/win_susp_zip_compress.yml b/rules/windows/builtin/win_susp_zip_compress.yml index 5534e42b..4f0ab147 100644 --- a/rules/windows/builtin/win_susp_zip_compress.yml +++ b/rules/windows/builtin/win_susp_zip_compress.yml @@ -1,6 +1,5 @@ action: global title: Zip A Folder With PowerShell For Staging In Temp -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 status: experimental author: frack113 date: 2021/07/20 @@ -14,6 +13,7 @@ falsepositives: - Unknown level: medium --- +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 logsource: product: windows category: process_creation @@ -26,6 +26,7 @@ detection: - '$env:TEMP\' condition: selection --- +id: 71ff406e-b633-4989-96ec-bc49d825a412 logsource: product: windows service: powershell-classic @@ -39,6 +40,7 @@ detection: - '$env:TEMP\' condition: selection --- +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 logsource: product: windows service: powershell diff --git a/rules/windows/file_event/sysmon_hack_dumpert.yml b/rules/windows/file_event/sysmon_hack_dumpert.yml index a29ef780..8259b12c 100755 --- a/rules/windows/file_event/sysmon_hack_dumpert.yml +++ b/rules/windows/file_event/sysmon_hack_dumpert.yml @@ -1,6 +1,5 @@ action: global title: Dumpert Process Dumper -id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory author: Florian Roth references: @@ -16,6 +15,7 @@ falsepositives: - Very unlikely level: critical --- +id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: Imphash: '09D278F9DE118EF09163C6140255C690' condition: selection --- +id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 logsource: category: file_event product: windows diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml index 64f945e8..955ca591 100644 --- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -1,6 +1,5 @@ action: global title: Time Travel Debugging Utility Usage -id: e76c8240-d68f-4773-8880-5c6f63595aaf description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ @@ -19,6 +18,7 @@ falsepositives: - Legitimate usage by software developers/testers level: high --- +id: e76c8240-d68f-4773-8880-5c6f63595aaf logsource: product: windows category: image_load @@ -29,6 +29,7 @@ detection: - '\ttdwriter.dll' - '\ttdloader.dll' --- +id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml index a62d7260..92df8008 100644 --- a/rules/windows/process_creation/win_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml @@ -1,6 +1,5 @@ action: global title: Advanced IP Scanner -id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: experimental description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: @@ -19,6 +18,7 @@ falsepositives: - Legitimate administrative use level: medium --- +id: bef37fa2-f205-4a7b-b484-0759bfd5f86f logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: Image|contains: '\advanced_ip_scanner' condition: selection --- +id: fed85bf9-e075-4280-9159-fbe8a023d6fa logsource: category: file_event product: windows diff --git a/rules/windows/process_creation/win_apt_turla_commands.yml b/rules/windows/process_creation/win_apt_turla_commands.yml index dc84c432..61b55cf1 100755 --- a/rules/windows/process_creation/win_apt_turla_commands.yml +++ b/rules/windows/process_creation/win_apt_turla_commands.yml @@ -1,6 +1,5 @@ action: global title: Turla Group Lateral Movement -id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: experimental description: Detects automated lateral movement by Turla group references: @@ -24,6 +23,7 @@ logsource: falsepositives: - Unknown --- +id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f detection: selection: CommandLine: @@ -33,6 +33,7 @@ detection: condition: selection level: critical --- +id: 75925535-ca97-4e0a-a850-00b5c00779dc detection: netCommand1: CommandLine: 'net view /DOMAIN' diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml index af9a5711..977893ac 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/win_apt_wocao.yml @@ -1,6 +1,5 @@ action: global title: Operation Wocao Activity -id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d author: Florian Roth, frack113 status: experimental description: Detects activity mentioned in Operation Wocao report @@ -25,6 +24,7 @@ falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators level: high --- +id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d logsource: product: windows service: security @@ -35,6 +35,7 @@ detection: CallerProcessName|endswith: '\checkadmin.exe' condition: selection --- +id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exchange_transportagent.yml b/rules/windows/process_creation/win_exchange_transportagent.yml index d432eada..4c7f7cee 100644 --- a/rules/windows/process_creation/win_exchange_transportagent.yml +++ b/rules/windows/process_creation/win_exchange_transportagent.yml @@ -1,6 +1,5 @@ action: global title: MSExchange Transport Agent Installation -id: 83809e84-4475-4b69-bc3e-4aad8568612f status: experimental description: Detects the Installation of a Exchange Transport Agent references: @@ -18,6 +17,7 @@ falsepositives: - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium --- +id: 83809e84-4475-4b69-bc3e-4aad8568612f logsource: product: windows category: process_creation @@ -25,6 +25,7 @@ detection: selection: CommandLine|contains: 'Install-TransportAgent' --- +id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 logsource: product: windows service: msexchange-management diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 821c3cd9..17e9927c 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -1,6 +1,5 @@ action: global title: CreateMiniDump Hacktool -id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine author: Florian Roth references: @@ -14,6 +13,7 @@ falsepositives: - Unknown level: high --- +id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' condition: 1 of them --- +id: db2110f3-479d-42a6-94fb-d35bc1e46492 logsource: product: windows category: file_event diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index d88aa5e3..1dc05a4a 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -1,6 +1,5 @@ action: global title: Adwind RAT / JRAT -id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: @@ -18,6 +17,7 @@ detection: condition: selection level: high --- +id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: - 'Retrive' - '.vbs ' --- +id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 logsource: category: file_event product: windows @@ -44,6 +45,7 @@ detection: - '\Retrive' - '.vbs' --- +id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 logsource: category: registry_event product: windows diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 66fa5a3f..d4699449 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -1,6 +1,5 @@ action: global title: SILENTTRINITY Stager Execution -id: 03552375-cc2c-4883-bbe4-7958d5a980be status: experimental description: Detects SILENTTRINITY stager use references: @@ -18,10 +17,12 @@ falsepositives: - unknown level: high --- +id: 03552375-cc2c-4883-bbe4-7958d5a980be logsource: category: process_creation product: windows --- +id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d logsource: category: image_load product: windows diff --git a/rules/windows/registry_event/sysmon_apt_pandemic.yml b/rules/windows/registry_event/sysmon_apt_pandemic.yml index f53bf33c..e0f2d122 100755 --- a/rules/windows/registry_event/sysmon_apt_pandemic.yml +++ b/rules/windows/registry_event/sysmon_apt_pandemic.yml @@ -1,6 +1,5 @@ action: global title: Pandemic Registry Key -id: 47e0852a-cf81-4494-a8e6-31864f8c86ed status: experimental description: Detects Pandemic Windows Implant references: @@ -22,6 +21,7 @@ falsepositives: - unknown level: critical --- +id: 47e0852a-cf81-4494-a8e6-31864f8c86ed logsource: category: registry_event product: windows @@ -30,6 +30,7 @@ detection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: 1 of them --- +id: 9fefd33c-339d-4495-9cba-b96ca006f512 logsource: category: process_creation product: windows From 135d0a2c61d2941ad29795a8eafe7a579d98e5f5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:50:00 +0200 Subject: [PATCH 078/127] Update global id --- .../windows/other/win_defender_exclusions.yml | 15 +++++------- .../process_creation/win_apt_chafer_mar18.yml | 5 +++- .../process_creation/win_apt_empiremonkey.yml | 24 +++++++------------ .../process_creation/win_apt_gallium.yml | 3 ++- .../process_creation/win_apt_slingshot.yml | 3 ++- .../win_apt_unidentified_nov_18.yml | 6 ++--- .../win_susp_winrm_AWL_bypass.yml | 3 ++- .../win_syncappvpublishingserver_exe.yml | 3 ++- 8 files changed, 29 insertions(+), 33 deletions(-) diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml index 29e56c90..5021ed75 100644 --- a/rules/windows/other/win_defender_exclusions.yml +++ b/rules/windows/other/win_defender_exclusions.yml @@ -1,6 +1,5 @@ action: global title: Windows Defender Exclusions Added -id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f description: Detects the Setting of Windows Defender Exclusions date: 2021/07/06 author: Christian Burkard @@ -15,24 +14,22 @@ falsepositives: - Administrator actions level: medium --- +id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f logsource: product: windows service: windefend detection: selection1: - EventID: - - 5007 - New Value|contains: - - '\Microsoft\Windows Defender\Exclusions' + EventID: 5007 + New Value|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection1 --- +id: a982fc9c-6333-4ffb-a51d-addb04e8b529 logsource: product: windows category: registry_event detection: selection2: - EventID: - - 13 - TargetObject|contains: - - '\Microsoft\Windows Defender\Exclusions' + EventID: 13 + TargetObject|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection2 diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index a64f9629..ad32e036 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -1,6 +1,5 @@ action: global title: Chafer Activity -id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ @@ -26,6 +25,7 @@ falsepositives: - Unknown level: critical --- +id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 logsource: product: windows service: system @@ -36,6 +36,7 @@ detection: - 'SC Scheduled Scan' - 'UpdatMachine' --- +id: c0580559-a6bd-4ef6-b9b7-83703d98b561 logsource: product: windows service: security @@ -46,6 +47,7 @@ detection: - 'SC Scheduled Scan' - 'UpdatMachine' --- +id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 logsource: category: registry_event product: windows @@ -55,6 +57,7 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' --- +id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 55efdc51..93b94f14 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -1,4 +1,3 @@ -action: global title: Empire Monkey id: 10152a7b-b566-438f-a33c-390b607d1c8d description: Detects EmpireMonkey APT reported Activity @@ -11,24 +10,17 @@ tags: date: 2019/04/02 modified: 2020/08/27 author: Markus Neis -detection: - condition: 1 of them -falsepositives: - - Very Unlikely -level: critical ---- logsource: category: process_creation product: windows detection: selection_cutil: - CommandLine|endswith: - - '/i:%APPDATA%\logs.txt scrobj.dll' - Image|endswith: - - '\cutil.exe' + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Image|endswith: '\cutil.exe' selection_regsvr32: - CommandLine|endswith: - - '/i:%APPDATA%\logs.txt scrobj.dll' - Description: - - Microsoft(C) Registerserver - + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Description: 'Microsoft(C) Registerserver' + condition: 1 of them +falsepositives: + - Very Unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_gallium.yml b/rules/windows/process_creation/win_apt_gallium.yml index 5ec55428..3c5279f3 100644 --- a/rules/windows/process_creation/win_apt_gallium.yml +++ b/rules/windows/process_creation/win_apt_gallium.yml @@ -1,6 +1,5 @@ action: global title: GALLIUM Artefacts -id: 440a56bf-7873-4439-940a-1c8a671073c2 status: experimental description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. author: Tim Burrell @@ -42,6 +41,7 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection --- +id: 440a56bf-7873-4439-940a-1c8a671073c2 logsource: product: windows service: dns-server @@ -58,6 +58,7 @@ detection: - 'cvdfhjh1231.ddns.net' condition: c2_selection --- +id: 18739897-21b1-41da-8ee4-5b786915a676 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 51589931..14205108 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -1,6 +1,5 @@ action: global title: Defrag Deactivation -id: 958d81aa-8566-4cea-a565-59ccd4df27b0 author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2020/11/05 @@ -16,6 +15,7 @@ falsepositives: - Unknown level: medium --- +id: 958d81aa-8566-4cea-a565-59ccd4df27b0 logsource: category: process_creation product: windows @@ -29,6 +29,7 @@ detection: - '/TN' - '\Microsoft\Windows\Defrag\ScheduledDefrag' --- +id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 logsource: product: windows service: security diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 20e60b32..1ff40f48 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -1,6 +1,5 @@ action: global title: Unidentified Attacker November 2018 -id: 7453575c-a747-40b9-839b-125a0aae324b status: stable description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. @@ -17,6 +16,7 @@ detection: condition: 1 of them level: high --- +id: 7453575c-a747-40b9-839b-125a0aae324b logsource: category: process_creation product: windows @@ -25,11 +25,11 @@ detection: CommandLine|contains: 'cyzfc.dat,' CommandLine|endswith: 'PointFunctionCall' --- +id: 3a3f81ca-652c-482b-adeb-b1c804727f74 # Sysmon: File Creation (ID 11) logsource: product: windows category: file_event detection: selection2: - TargetFilename|contains: - - 'ds7002.lnk' + TargetFilename|contains: 'ds7002.lnk' diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml index 5ed59281..fd21e69f 100644 --- a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -1,6 +1,5 @@ action: global title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl -id: 074e0ded-6ced-4ebd-8b4d-53f55908119d description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) status: experimental references: @@ -14,6 +13,7 @@ level: medium falsepositives: - Unlikely --- +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d logsource: category: process_creation product: windows @@ -32,6 +32,7 @@ detection: CommandLine|contains: 'winrm' condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) --- +id: d353dac0-1b41-46c2-820c-d7d2561fc6ed logsource: product: windows category: file_event diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml index e29504f5..fb4c81e3 100644 --- a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -1,6 +1,5 @@ action: global title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction -id: fde7929d-8beb-4a4c-b922-be9974671667 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ @@ -15,6 +14,7 @@ falsepositives: - App-V clients level: medium --- +id: fde7929d-8beb-4a4c-b922-be9974671667 logsource: product: windows category: process_creation @@ -22,6 +22,7 @@ detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' --- +id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 logsource: product: windows service: powershell From 11e4b900e44d71bfc76eeb0e1e299c187a6580a3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 3 Sep 2021 06:59:40 +0200 Subject: [PATCH 079/127] Update global id --- rules/windows/process_creation/win_apt_gallium.yml | 3 ++- tools/sigma/sigma_uuid.py | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_gallium.yml b/rules/windows/process_creation/win_apt_gallium.yml index 3c5279f3..41d7f628 100644 --- a/rules/windows/process_creation/win_apt_gallium.yml +++ b/rules/windows/process_creation/win_apt_gallium.yml @@ -14,6 +14,7 @@ falsepositives: - unknown level: high --- +id: 440a56bf-7873-4439-940a-1c8a671073c2 logsource: product: windows category: process_creation @@ -41,7 +42,7 @@ detection: - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' condition: exec_selection --- -id: 440a56bf-7873-4439-940a-1c8a671073c2 +id: 3db10f25-2527-4b79-8d4b-471eb900ee29 logsource: product: windows service: dns-server diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index 8875004b..b9b07f05 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -69,11 +69,9 @@ def main(): except ValueError: # id is not a valid UUID print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) passed = False - exit() except KeyError: # rule has no id print("Rule {} in file {} has no UUID.".format(i, str(path))) passed = False - exit() ''' else: newrules = list() From 864286e2060ce02b5e3d58e3b37ea9552102a9eb Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 3 Sep 2021 11:33:18 +0200 Subject: [PATCH 080/127] New Rule - Linux-Auditd-System Information Discovery --- .../lnx_auditd_system_info_discovery.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_system_info_discovery.yml diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml new file mode 100644 index 00000000..56fba47f --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -0,0 +1,30 @@ +title: 'System Information Discovery' +description: 'Detects System Information Discovery commands' +author: 'Pawel Mazur' +status: experimental +date: 2021/09/03 +references: + - 'https://attack.mitre.org/techniques/T1082/' + - 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md' +logsource: + product: linux + service: auditd +detection: + selection: + type: PATH + name: + - /etc/lsb-release + - /etc/redhat-release + - /etc/issue + condition: 'selection or selection2' + selection2: + type: EXECVE + a0: + - uname + - uptime +tags: + - attack.discovery + - attack.t1082 +falsepositives: + - 'Legitimate administrative activity' +level: low From adc3c9e6087654ca35968bd33548d254f903acfd Mon Sep 17 00:00:00 2001 From: ncrqnt Date: Fri, 3 Sep 2021 12:03:38 +0200 Subject: [PATCH 081/127] fixed date: switched day/month --- .../win_arbitrary_shell_execution_via_settingcontent.yml | 2 +- rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml | 2 +- ...in_sticky_keys_unauthenticated_privileged_console_access.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index fffa3a9e..8ba7965c 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -2,7 +2,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. author: Sreeman -date: 2020/13/03 +date: 2020/03/13 modified: 2021/08/09 references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml index 09845cc8..a3e942b8 100644 --- a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml +++ b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml @@ -3,7 +3,7 @@ id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 status: experimental description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file' author: Sreeman -date: 2020/13/03 +date: 2020/03/13 modified: 2021/06/11 tags: - attack.t1218 diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 715dfc75..18cddb9e 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -5,7 +5,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf status: experimental -date: 2020/18/02 +date: 2020/02/18 modified: 2021/06/11 author: Sreeman tags: From 8bd859f55067c73ed74debec50b762ced43f0e8d Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:07:42 +0200 Subject: [PATCH 082/127] Update lnx_auditd_system_info_discovery.yml --- rules/linux/auditd/lnx_auditd_system_info_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 56fba47f..1a3d1035 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -16,12 +16,12 @@ detection: - /etc/lsb-release - /etc/redhat-release - /etc/issue - condition: 'selection or selection2' - selection2: + selection2: type: EXECVE a0: - uname - uptime + condition: 'selection or selection2' tags: - attack.discovery - attack.t1082 From 2de2de8433fe7053bc1123f87a7199f5c53d35b4 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 11:36:43 +0200 Subject: [PATCH 083/127] Addition to UAC Bypasses --- .../sysmon_uac_bypass_shell_open.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 68481a95..42c2c471 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -1,11 +1,13 @@ title: UAC Bypass Using Registry Shell Open Keys id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -description: Detects the pattern of UAC Bypass using fodhelper.exe or computerdefaults.exe via registry keys (UACMe 33 or 62) +description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 status: experimental references: - https://github.com/hfiref0x/UACME + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass tags: - attack.defense_evasion - attack.privilege_escalation @@ -14,10 +16,18 @@ logsource: category: registry_event product: windows detection: - selection: + selection1: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' - condition: selection + selection2: + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' + selection3: + TargetObject|endswith: '_Classes\ms-settings\shell\open\command\(Default)' + selection4: + TargetObject|endswith: '_Classes\exefile\shell\open\command\(Default)' + filter: + Details: '(Empty)' + condition: selection1 or selection2 or ( (selection3 or selection4) and not filter) falsepositives: - Unknown level: high From f3bdb0e43d9bcfa9f78eb9483d4e49513448d22d Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 13:18:41 +0200 Subject: [PATCH 084/127] fix: remove unneeded selection --- .../registry_event/sysmon_uac_bypass_shell_open.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 42c2c471..94469592 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -22,12 +22,12 @@ detection: selection2: TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' selection3: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\(Default)' - selection4: - TargetObject|endswith: '_Classes\exefile\shell\open\command\(Default)' + TargetObject|endswith: + - '_Classes\ms-settings\shell\open\command\(Default)' + - '_Classes\exefile\shell\open\command\(Default)' filter: Details: '(Empty)' - condition: selection1 or selection2 or ( (selection3 or selection4) and not filter) + condition: selection1 or selection2 or (selection3 and not filter) falsepositives: - Unknown level: high From aa2e86963c1870fe583d5c91ef8973ed0096d9b3 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 3 Sep 2021 13:21:29 +0200 Subject: [PATCH 085/127] fix: rename filter --- rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 94469592..032e1146 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -25,9 +25,9 @@ detection: TargetObject|endswith: - '_Classes\ms-settings\shell\open\command\(Default)' - '_Classes\exefile\shell\open\command\(Default)' - filter: + filter_sel3: Details: '(Empty)' - condition: selection1 or selection2 or (selection3 and not filter) + condition: selection1 or selection2 or (selection3 and not filter_sel3) falsepositives: - Unknown level: high From 815134df7f8fdb13e3dbc4ee90d3a899e36e49ef Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:30:10 +0200 Subject: [PATCH 086/127] Cleanup --- .../auditd/lnx_auditd_system_info_discovery.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 1a3d1035..8578ba32 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -1,11 +1,11 @@ -title: 'System Information Discovery' -description: 'Detects System Information Discovery commands' +title: System Information Discovery +description: Detects System Information Discovery commands author: 'Pawel Mazur' status: experimental date: 2021/09/03 references: - - 'https://attack.mitre.org/techniques/T1082/' - - 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md' + - https://attack.mitre.org/techniques/T1082/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md logsource: product: linux service: auditd @@ -21,10 +21,10 @@ detection: a0: - uname - uptime - condition: 'selection or selection2' + condition: selection or selection2 tags: - attack.discovery - attack.t1082 falsepositives: - - 'Legitimate administrative activity' + - Legitimate administrative activity level: low From 769451dc032ff6f8e2d7d79ecdad1d7ac1e1ccbc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Sep 2021 13:42:15 +0200 Subject: [PATCH 087/127] Add missing id --- rules/linux/auditd/lnx_auditd_system_info_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 8578ba32..223be5b4 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -1,4 +1,5 @@ title: System Information Discovery +id: f34047d9-20d3-4e8b-8672-0a35cc50dc71 description: Detects System Information Discovery commands author: 'Pawel Mazur' status: experimental From a7a002cb7f5f90848902a0bb494176a7059379a0 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Fri, 3 Sep 2021 10:01:54 -0400 Subject: [PATCH 088/127] updating fields as per frack113 feedback --- rules/windows/builtin/win_petitpotam_network_share.yml | 7 ++++--- rules/windows/builtin/win_petitpotam_susp_tgt_request.yml | 7 +++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml index 15ee76da..ca5ff7c2 100644 --- a/rules/windows/builtin/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -16,9 +16,10 @@ logsource: detection: selection: EventID: 5145 - Share_Name: \\*\IPC$ - Relative_Target_Name: lsarpc - Account_Name: ANONYMOUS LOGON + ShareName|startswith: '\\' + ShareName|endswith: '\IPC$' + RelativeTargetName: lsarpc + SubjectUserName: ANONYMOUS LOGON condition: selection falsepositives: - Unknown. Feedback welcomed. diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml index da7fdf9e..a576df1b 100644 --- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -23,11 +23,10 @@ logsource: detection: selection: EventID: 4768 - Account_Name|endswith: '$' - Certificate_Thumbprint: '*' + TargetUserName|endswith: '$' + CertThumbprint: '*' filter_local: - Client_Address: '::1' - + IpAddress: '::1' condition: selection and not filter_local falsepositives: - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. From c0bdc3fb1ba26678d9541f0702102a1a9b024b94 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:21 -0500 Subject: [PATCH 089/127] Create azure_device_no_longer_managed_or_compliant.yml --- ..._device_no_longer_managed_or_compliant.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 00000000..11fe4dd0 --- /dev/null +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,21 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. From b478132769fdfb947515420dce244f0ec7e8db50 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:59 -0500 Subject: [PATCH 090/127] Create azure_owner_removed_from_application_or_service_principal.yml --- ..._from_application_or_service_principal.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 00000000..cc6ba7d3 --- /dev/null +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,23 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6e15618c75baf4ed45a249054a011ce00abdac7c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:24:32 -0500 Subject: [PATCH 091/127] Create azure_device_or_configuration_deleted.yml --- .../azure_device_or_configuration_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_device_or_configuration_deleted.yml diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_deleted.yml new file mode 100644 index 00000000..4156aa7d --- /dev/null +++ b/rules/cloud/azure/azure_device_or_configuration_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Device or Configuration Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is deleted. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 70ac0104cf129996705d1538642c4a1c6f010978 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:01 -0500 Subject: [PATCH 092/127] Create azure_service_principal_removed.yml --- .../azure/azure_service_principal_removed.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_service_principal_removed.yml diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml new file mode 100644 index 00000000..6be22898 --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Remove service principal" + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6744fb7f2ec6ded95cee76e72f418395f956c7e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:34 -0500 Subject: [PATCH 093/127] Create azure_application_deleted.yml --- .../cloud/azure/azure_application_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_application_deleted.yml diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml new file mode 100644 index 00000000..843bb212 --- /dev/null +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From c021ae9e7c8507c1b3c42018d7da249cd1e76e99 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:35 -0500 Subject: [PATCH 094/127] Update and rename azure_device_or_configuration_deleted.yml to azure_device_or_configuration_modified_or_deleted.yml --- ..._device_or_configuration_modified_or_deleted.yml} | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) rename rules/cloud/azure/{azure_device_or_configuration_deleted.yml => azure_device_or_configuration_modified_or_deleted.yml} (57%) diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml similarity index 57% rename from rules/cloud/azure/azure_device_or_configuration_deleted.yml rename to rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index 4156aa7d..c5136d76 100644 --- a/rules/cloud/azure/azure_device_or_configuration_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -1,7 +1,7 @@ -title: Azure Device or Configuration Deleted +title: Azure Device or Configuration Modified or Deleted id: 46530378-f9db-4af9-a9e5-889c177d3881 -description: Identifies when a device or device configuration in azure is deleted. -author: Austin Songer +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: @@ -13,11 +13,13 @@ detection: properties.message: - Delete device - Delete device configuration + - Update device + - Update device configuration condition: selection level: medium tags: - attack.impact falsepositives: - - Device or device configuration being deleted may be performed by a system administrator. + - Device or device configuration being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8fe7bfc4529255d84c666efd107afba2744171fb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:53 -0500 Subject: [PATCH 095/127] Update azure_application_deleted.yml --- rules/cloud/azure/azure_application_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index 843bb212..7160069c 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -1,7 +1,7 @@ title: Azure Application Deleted id: 410d2a41-1e6d-452f-85e5-abdd8257a823 description: Identifies when a application is deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 9d26116d272653796bacfe5d12cf47e4a1ba3591 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:02 -0500 Subject: [PATCH 096/127] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 11fe4dd0..e13c480c 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -1,7 +1,7 @@ title: Azure Device No Longer Managed or Compliant id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/ references: From fda1e3362e7b7321e4125acd3f80d0ffdb32f62d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:12 -0500 Subject: [PATCH 097/127] Update azure_owner_removed_from_application_or_service_principal.yml --- ...zure_owner_removed_from_application_or_service_principal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index cc6ba7d3..5db903ee 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -1,7 +1,7 @@ title: Azure Owner Removed From Application or Service Principal id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 description: Identifies when a owner is was removed from a application or service principal in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From c420a17e05d8848070a1dff6f62bd26afd36773c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:21 -0500 Subject: [PATCH 098/127] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 6be22898..81ed2454 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -1,7 +1,7 @@ title: Azure Service Principal Removed id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 description: Identifies when a service principal was removed in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 0612ea7f6e468bb6a2741f4c39ce58e36aeb4d2b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:42:26 -0500 Subject: [PATCH 099/127] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index e13c480c..13be7277 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -3,7 +3,7 @@ id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant author: Austin Songer @austinsonger status: experimental -date: 2021/ +date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: From e7c582777636dd563250eda84cab0faf8cdc3f90 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:43:11 -0500 Subject: [PATCH 100/127] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 81ed2454..e0501252 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: "Remove service principal" + properties.message: Remove service principal condition: selection level: medium tags: From caf78b5ea13dc20944779fb6b8da915cb5be3ff9 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Sat, 4 Sep 2021 22:10:34 +0200 Subject: [PATCH 101/127] New Rule - Linux-Audio-Capture --- .../linux/auditd/lnx_auditd_audio_capture.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_audio_capture.yml diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml new file mode 100644 index 00000000..3d3c5ccd --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -0,0 +1,28 @@ +title: Audio Capture +id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 +description: Detects attempts to record audio with arecord utility + #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay +author: 'Pawel Mazur' +status: experimental +date: 2021/09/04 +references: + - https://attack.mitre.org/techniques/T1123/ +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: + - arecord + a1: + - '-vv' + a2: + - '-fdat' + condition: selection +tags: + - attack.collection + - attack.t1123 +falsepositives: + - None +level: low From fa5554660cb563c838955eae61602435deb3345a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 4 Sep 2021 17:33:05 -0500 Subject: [PATCH 102/127] Update sysmon_mal_cobaltstrike_re.yml --- rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 3a857bbc..1ecc14c6 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -6,7 +6,7 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 date: 2021/07/30 -modifed: 2021/09/02 +modified: 2021/09/02 author: Florian Roth tags: - attack.defense_evasion From 5042ba65ac87557c931f3208c46d0d925ca46ee8 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sun, 5 Sep 2021 09:28:53 +0200 Subject: [PATCH 103/127] Update lnx_auditd_audio_capture.yml Added more references about arecord. --- rules/linux/auditd/lnx_auditd_audio_capture.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index 3d3c5ccd..42246e7a 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -6,6 +6,8 @@ author: 'Pawel Mazur' status: experimental date: 2021/09/04 references: + - https://linux.die.net/man/1/arecord + - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa - https://attack.mitre.org/techniques/T1123/ logsource: product: linux From acf2bfbd27a6c5fabc2348c73ead426c4e6f814e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 10:43:42 +0200 Subject: [PATCH 104/127] Update sigma_uuid verify Make a better verify code --- rules/windows/builtin/win_apt_apt29_tor.yml | 3 +- tools/sigma/sigma_uuid.py | 63 +++++++++++++-------- 2 files changed, 42 insertions(+), 24 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 8e4e79c8..aec2c262 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -1,6 +1,5 @@ action: global title: APT29 Google Update Service Install -id: c069f460-2b87-4010-8dcf-e45bab362624 description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files. references: @@ -13,6 +12,8 @@ tags: date: 2017/11/01 modified: 2020/08/23 author: Thomas Patzke +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows service: system diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index b9b07f05..ce0f9ab6 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -1,10 +1,23 @@ #!/usr/bin/env python3 # Assign UUIDs to Sigma rules and verify UUID assignment for a Sigma rule repository +# Copyright 2016-2021 SigmaHQ + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . from argparse import ArgumentParser from pathlib import Path from uuid import uuid4, UUID -import yaml +import ruamel.yaml from sigma.output import SigmaYAMLDumper @@ -15,7 +28,7 @@ def print_verbose(*arg, **kwarg): def yaml_preserve_order(self, dict_data): return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) -def valid_rule(rule,i,path): +def valid_id(rule,i,path): try: UUID(rule["id"]) except ValueError: # id is not a valid UUID @@ -26,6 +39,22 @@ def valid_rule(rule,i,path): return False return True +def is_global(rule): + if 'action' in rule: + if rule['action'] == 'global': + return True + return False + +def is_id_uuid(rule): + if 'id' in rule: + try: + UUID(rule["id"]) + except ValueError: + return False + return True + return False + + def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -43,36 +72,24 @@ def main(): else: paths = [ Path(pathname) for pathname in args.inputs ] - yaml.add_representer(dict, yaml_preserve_order) - uuids = set() passed = True for path in paths: print_verbose("Rule {}".format(str(path))) with path.open("r",encoding="UTF-8") as f: - rules = list(yaml.safe_load_all(f)) - - nb_rule = len(rules) + rules = list(ruamel.yaml.load_all(f,Loader=ruamel.yaml.RoundTripLoader)) + if args.verify: - if nb_rule == 1: - if not valid_rule(rules[0],1,path): passed = False - else: - if rules[0]["action"] == "global": - for i in range(1,nb_rule): - if not valid_rule(rules[i],i,path): passed = False - ''' + i = 0 for rule in rules: - - if "title" in rule: # Rule with a title should also have a UUID - try: - UUID(rule["id"]) - except ValueError: # id is not a valid UUID - print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"])) + if is_global(rule): # No id in global section + if 'id' in rule: passed = False - except KeyError: # rule has no id - print("Rule {} in file {} has no UUID.".format(i, str(path))) + print("Rule {} in file {} has ID in global section.".format(i,str(path))) + else: + if not valid_id(rule,i,path): passed = False - ''' + i += 1 else: newrules = list() changed = False From ca4c156fa4ce0c3ae6b2c14c014ee7aa3c7a1841 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 11:20:57 +0200 Subject: [PATCH 105/127] Update win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 30 ++++++++++++--------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index aec2c262..65b7b8f3 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,9 +10,23 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/08/23 -author: Thomas Patzke +modified: 2020/09/05 +author: Thomas Patzke , frack113 (reorder file) --- +#First detection is only need to the near so level is informational to not trigger an alert +id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' + condition: process +level: informational +--- +action: repeat id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows @@ -26,17 +40,7 @@ detection: falsepositives: - Unknown level: high ---- -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User - - CommandLine + - CommandLine \ No newline at end of file From b0964250b1142c9e6613560b3d01035b00449b5a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 12:23:45 +0200 Subject: [PATCH 106/127] Update win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 65b7b8f3..562bec73 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -12,9 +12,6 @@ tags: date: 2017/11/01 modified: 2020/09/05 author: Thomas Patzke , frack113 (reorder file) ---- -#First detection is only need to the near so level is informational to not trigger an alert -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 logsource: category: process_creation product: windows @@ -23,10 +20,9 @@ detection: Image: - 'C:\Program Files(x86)\Google\GoogleService.exe' - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' - condition: process +#First detection is only need to the near so level is informational to not trigger an alert level: informational --- -action: repeat id: c069f460-2b87-4010-8dcf-e45bab362624 logsource: product: windows From 44a5792be3e3261f23eb01cc5d7181d39dd7835a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 5 Sep 2021 12:34:24 +0200 Subject: [PATCH 107/127] Revert win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 32 +++++++++------------ 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 65b7b8f3..60622027 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,24 +10,8 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/09/05 -author: Thomas Patzke , frack113 (reorder file) ---- -#First detection is only need to the near so level is informational to not trigger an alert -id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5 -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' - condition: process -level: informational ---- -action: repeat -id: c069f460-2b87-4010-8dcf-e45bab362624 +modified: 2020/08/23 +author: Thomas Patzke logsource: product: windows service: system @@ -40,7 +24,17 @@ detection: falsepositives: - Unknown level: high +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User - - CommandLine \ No newline at end of file + - CommandLine From c82a652a3462a95ad433d8d3dad6a0b809dfb73e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 12:37:30 +0200 Subject: [PATCH 108/127] Revert win_apt_apt29_tor.yml --- rules/windows/builtin/win_apt_apt29_tor.yml | 26 ++++++++++----------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml index 562bec73..45af1e2d 100755 --- a/rules/windows/builtin/win_apt_apt29_tor.yml +++ b/rules/windows/builtin/win_apt_apt29_tor.yml @@ -10,20 +10,8 @@ tags: - attack.t1050 # an old one - attack.t1543.003 date: 2017/11/01 -modified: 2020/09/05 -author: Thomas Patzke , frack113 (reorder file) -logsource: - category: process_creation - product: windows -detection: - process: - Image: - - 'C:\Program Files(x86)\Google\GoogleService.exe' - - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' -#First detection is only need to the near so level is informational to not trigger an alert -level: informational ---- -id: c069f460-2b87-4010-8dcf-e45bab362624 +modified: 2020/08/23 +author: Thomas Patzke logsource: product: windows service: system @@ -36,6 +24,16 @@ detection: falsepositives: - Unknown level: high +--- +id: c069f460-2b87-4010-8dcf-e45bab362624 +logsource: + category: process_creation + product: windows +detection: + process: + Image: + - 'C:\Program Files(x86)\Google\GoogleService.exe' + - 'C:\Program Files(x86)\Google\GoogleUpdate.exe' fields: - ComputerName - User From dc88ad7c73a01280a0a9604e23fc238613cef6ee Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:50:54 +0200 Subject: [PATCH 109/127] fix sigma_uuid assign id --- tools/sigma/sigma_uuid.py | 51 +++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py index ce0f9ab6..4b9b7fc4 100755 --- a/tools/sigma/sigma_uuid.py +++ b/tools/sigma/sigma_uuid.py @@ -18,15 +18,10 @@ from argparse import ArgumentParser from pathlib import Path from uuid import uuid4, UUID import ruamel.yaml -from sigma.output import SigmaYAMLDumper - def print_verbose(*arg, **kwarg): print(*arg, **kwarg) -# Define order-preserving representer from dicts/maps -def yaml_preserve_order(self, dict_data): - return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) def valid_id(rule,i,path): try: @@ -45,16 +40,6 @@ def is_global(rule): return True return False -def is_id_uuid(rule): - if 'id' in rule: - try: - UUID(rule["id"]) - except ValueError: - return False - return True - return False - - def main(): argparser = ArgumentParser(description="Assign and verify UUIDs of Sigma rules") argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.") @@ -72,7 +57,6 @@ def main(): else: paths = [ Path(pathname) for pathname in args.inputs ] - uuids = set() passed = True for path in paths: print_verbose("Rule {}".format(str(path))) @@ -91,27 +75,36 @@ def main(): passed = False i += 1 else: - newrules = list() changed = False i = 1 for rule in rules: - if "title" in rule and "id" not in rule: # only assign id to rules that have a title and no id - newrule = dict() - changed = True - for k, v in rule.items(): - newrule[k] = v - if k == "title": # insert id after title - uuid = uuid4() - newrule["id"] = str(uuid) - print("Assigned UUID '{}' to rule {} in file {}.".format(uuid, i, str(path))) - newrules.append(newrule) + if is_global(rule): + if 'id' in rule: + uuid = rule['id'] + del rule['id'] + print("Remove Global UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) + changed = True else: - newrules.append(rule) + if 'id' in rule: + if not valid_id(rule,i,path): + uuid = uuid4() + rule['id'] = str(uuid) + changed = True + print("Change bad UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) + else: + pos= 1 if 'title' in rule else 0 #put id in after title is need + uuid = uuid4() + rule.insert(pos,"id",str(uuid)) + changed = True + print("Assigned UUID '{}' to rule {} in file {}.".format(str(uuid), i, str(path))) i += 1 if changed: with path.open("w") as f: - yaml.dump_all(newrules, f, Dumper=SigmaYAMLDumper, indent=4, width=160, default_flow_style=False) + for rule in rules: + start= False if is_global(rule) else True + if len(rules) == 1: start= False # avoid --- if only one rule + ruamel.yaml.round_trip_dump(rule,stream=f,indent=4,block_seq_indent=4,explicit_start=start) if not passed: print("The Sigma rules listed above don't have an ID. The ID must be:") From 6025df63ee197f3a23b071d3ba2d22a18f41d5bc Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:06:58 -0500 Subject: [PATCH 110/127] Create azure_federation_modified.yml --- .../cloud/azure/azure_federation_modified.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_federation_modified.yml diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml new file mode 100644 index 00000000..37b7f585 --- /dev/null +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -0,0 +1,23 @@ +title: Azure Domain Federation Settings Modified +id: 352a54e1-74ba-4929-9d47-8193d67aba1e +description: Identifies when an user or application modified the federation settings on the domain. +author: Austin Songer +status: experimental +date: 2021/09/06 +references: + - https://attack.mitre.org/techniques/T1078/ +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: Set federation settings on domain + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 +falsepositives: + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From e6e3fc2eec44a2238ee5dfa7ebb01355f5a31dd8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:16:35 -0500 Subject: [PATCH 111/127] Update azure_federation_modified.yml --- rules/cloud/azure/azure_federation_modified.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index 37b7f585..f5b0eee4 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -7,7 +7,7 @@ date: 2021/09/06 references: - https://attack.mitre.org/techniques/T1078/ logsource: - service: azure.activitylogs + service: azure.signinlogs detection: selection: properties.message: Set federation settings on domain From 0de95e355a41bfb2c8d96f77d7754a66f97cc302 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 6 Sep 2021 11:31:52 -0500 Subject: [PATCH 112/127] Update azure_federation_modified.yml --- rules/cloud/azure/azure_federation_modified.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index f5b0eee4..bc627c97 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -5,7 +5,7 @@ author: Austin Songer status: experimental date: 2021/09/06 references: - - https://attack.mitre.org/techniques/T1078/ + - https://attack.mitre.org/techniques/T1078 logsource: service: azure.signinlogs detection: @@ -20,4 +20,4 @@ falsepositives: - Federation Settings being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + From ef3efd8fd348596541124c444b80a463025d073b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:37:02 +0200 Subject: [PATCH 113/127] New Rule Linux - Hidden Files and Directories --- .../lnx_auditd_hidden_files_directories.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_hidden_files_directories.yml diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml new file mode 100644 index 00000000..0f172ebb --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -0,0 +1,31 @@ +title: Hidden Files and Directoriese +id: d08722cd-3d09-449a-80b4-83ea2d9d4616 +description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character +author: 'Pawel Mazur' +status: experimental +date: 2021/09/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md + - https://attack.mitre.org/techniques/T1564/001/ +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: + - mkdir + - touch + - vim + - nano + - vi + arguments: + - a1|re: '\.(.*)' + - a2|re: '\.(.*)' #in case there are some other arguments being used in a1 + condition: commands and arguments +tags: + - attack.defenseevasion + - attack.t1564.001 +falsepositives: + - None +level: low \ No newline at end of file From 9f5f25e480721b77497bb23b80a9bff58825d0a9 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:40:39 +0200 Subject: [PATCH 114/127] New Rule - Linux Hidden Files and Directories --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index 0f172ebb..af9b62e5 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -28,4 +28,4 @@ tags: - attack.t1564.001 falsepositives: - None -level: low \ No newline at end of file +level: low From 7c2895c73fe7140ff94458a14137afc9560c083b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Mon, 6 Sep 2021 18:43:49 +0200 Subject: [PATCH 115/127] New Rule - Linux Hidden Files and Directories --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index af9b62e5..c36567a5 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -21,7 +21,7 @@ detection: - vi arguments: - a1|re: '\.(.*)' - - a2|re: '\.(.*)' #in case there are some other arguments being used in a1 + - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 condition: commands and arguments tags: - attack.defenseevasion From e9fa5bde2be9f3d48eb4e3f7c86432f416b9f700 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Mon, 6 Sep 2021 18:55:58 +0200 Subject: [PATCH 116/127] Update lnx_auditd_hidden_files_directories.yml Correction of tag --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index c36567a5..ec1dac52 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -24,7 +24,7 @@ detection: - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 condition: commands and arguments tags: - - attack.defenseevasion + - attack.defense_evasion - attack.t1564.001 falsepositives: - None From bba66ca762126855406e3851753fe844376babe1 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Tue, 7 Sep 2021 07:57:50 +0200 Subject: [PATCH 117/127] Update lnx_auditd_hidden_files_directories.yml Updating arguments section --- rules/linux/auditd/lnx_auditd_hidden_files_directories.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index ec1dac52..629d40c9 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -20,8 +20,10 @@ detection: - nano - vi arguments: - - a1|re: '\.(.*)' - - a2|re: '\.(.*)' # in case there are some other arguments being used in a1 + - a1|contains: '/.' + - a1|startswith: '.' + - a2|contains: '/.' + - a2|startswith: '.' condition: commands and arguments tags: - attack.defense_evasion From 33be089ea2acd6ce36e971fe2af8b6119fdaa42b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:16:35 +0200 Subject: [PATCH 118/127] fix: filename to lowercase --- .../auditd/lnx_auditd_susp_c2_commands.yml | 21 ++++++++++++++ .../powershell_cl_Invocation_lolscript.yml | 27 +++++++++++++++++ .../powershell_cl_Invocation_lolscript_v2.yml | 29 +++++++++++++++++++ ...powershell_cl_Mutexverifiers_lolscript.yml | 27 +++++++++++++++++ ...ershell_cl_Mutexverifiers_lolscript_v2.yml | 29 +++++++++++++++++++ 5 files changed, 133 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_susp_c2_commands.yml create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml new file mode 100644 index 00000000..8b145606 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -0,0 +1,21 @@ +title: Suspicious C2 Activities +id: f7158a64-6204-4d6d-868a-6e6378b467e0 +status: experimental +description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) +author: Marie Euler +references: + - 'https://github.com/Neo23x0/auditd' +date: 2020/05/18 +logsource: + product: linux + service: auditd +detection: + selection: + key: + - 'susp_activity' + condition: selection +falsepositives: + - Admin or User activity +level: medium +tags: + - attack.command_and_control \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml new file mode 100644 index 00000000..3976c19f --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml new file mode 100644 index 00000000..5cd1d3ad --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml new file mode 100644 index 00000000..a9e742a2 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml new file mode 100644 index 00000000..8a0fa3a3 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: + - Unknown +level: high From 0cce1c0245ab3cbe29335bf8f91741bbb8e9305e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:17:25 +0200 Subject: [PATCH 119/127] fix: missing lowercase chars --- .../powershell_cl_invocation_lolscript.yml | 27 +++++++++++++++++ .../powershell_cl_invocation_lolscript_v2.yml | 29 +++++++++++++++++++ ...powershell_cl_mutexverifiers_lolscript.yml | 27 +++++++++++++++++ ...ershell_cl_mutexverifiers_lolscript_v2.yml | 29 +++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml create mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml create mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript.yml new file mode 100644 index 00000000..3976c19f --- /dev/null +++ b/rules/windows/powershell/powershell_cl_invocation_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml new file mode 100644 index 00000000..5cd1d3ad --- /dev/null +++ b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml new file mode 100644 index 00000000..a9e742a2 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml new file mode 100644 index 00000000..8a0fa3a3 --- /dev/null +++ b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml @@ -0,0 +1,29 @@ +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: + - Unknown +level: high From 57bfdc7a028eb7b6dd2a762dfd053ebddb31f8bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:19:23 +0200 Subject: [PATCH 120/127] fix: more upper case chars --- .../win_cl_invocation_lolscript.yml | 26 +++++++++++++++++++ .../win_cl_mutexverifiers_lolscript.yml | 26 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/win_cl_invocation_lolscript.yml create mode 100644 rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/process_creation/win_cl_invocation_lolscript.yml b/rules/windows/process_creation/win_cl_invocation_lolscript.yml new file mode 100644 index 00000000..04a8b5dd --- /dev/null +++ b/rules/windows/process_creation/win_cl_invocation_lolscript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Invocation.ps1 +id: a0459f02-ac51-4c09-b511-b8c9203fc429 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml b/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml new file mode 100644 index 00000000..4fd2f44c --- /dev/null +++ b/rules/windows/process_creation/win_cl_mutexverifiers_lolscript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 99465c8f-f102-4157-b11c-b0cddd53b79a +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high From 8b4fce3473e761633e737b9d18c6f04ba1338ac1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:21:44 +0200 Subject: [PATCH 121/127] removed unneeded upper ticks --- rules/windows/powershell/powershell_cl_Invocation_lolscript.yml | 2 +- .../powershell/powershell_cl_Mutexverifiers_lolscript.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml index 3976c19f..054cd341 100644 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml index a9e742a2..3430cdd7 100644 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 From a8d8d878a04c8b1a7f77dcc88609b81485b73c8a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:27:11 +0200 Subject: [PATCH 122/127] remove uppercase files --- .../powershell_cl_Invocation_lolscript.yml | 27 ----------------- .../powershell_cl_Invocation_lolscript_v2.yml | 29 ------------------- ...powershell_cl_Mutexverifiers_lolscript.yml | 27 ----------------- ...ershell_cl_Mutexverifiers_lolscript_v2.yml | 29 ------------------- 4 files changed, 112 deletions(-) delete mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript.yml delete mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml delete mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml delete mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml deleted file mode 100644 index 054cd341..00000000 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution via CL_Invocation.ps1 -id: 4cd29327-685a-460e-9dac-c3ab96e549dc -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: Script block logging must be enabled -detection: - selection: - EventID: 4104 - ScriptBlockText|contains|all: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml deleted file mode 100644 index 5cd1d3ad..00000000 --- a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Invocation.ps1 (2 Lines) -id: f588e69b-0750-46bb-8f87-0e9320d57536 -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml deleted file mode 100644 index 3430cdd7..00000000 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 -id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: Script block logging must be enabled -detection: - selection: - EventID: 4104 - ScriptBlockText|contains|all: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection -falsepositives: - - Unknown -level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml deleted file mode 100644 index 8a0fa3a3..00000000 --- a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 (2 Lines) -id: 6609c444-9670-4eab-9636-fe4755a851ce -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: - - Unknown -level: high From 3a305e82b9b2e38c088bc018a48d8cb593c6a956 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 09:28:20 +0200 Subject: [PATCH 123/127] fix: remove renamed files --- .../powershell_cl_invocation_lolscript_v2.yml | 29 ------------------- ...ershell_cl_mutexverifiers_lolscript_v2.yml | 29 ------------------- 2 files changed, 58 deletions(-) delete mode 100644 rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml delete mode 100644 rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml deleted file mode 100644 index 5cd1d3ad..00000000 --- a/rules/windows/powershell/powershell_cl_invocation_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Invocation.ps1 (2 Lines) -id: f588e69b-0750-46bb-8f87-0e9320d57536 -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - - https://twitter.com/bohops/status/948061991012327424 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml deleted file mode 100644 index 8a0fa3a3..00000000 --- a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_v2.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution via CL_Mutexverifiers.ps1 (2 Lines) -id: 6609c444-9670-4eab-9636-fe4755a851ce -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/05/21 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - - https://twitter.com/pabraeken/status/995111125447577600 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - product: windows - service: powershell - definition: 'Script block logging must be enabled' -detection: - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe -falsepositives: - - Unknown -level: high From cfbde22d2d1a6f082f7c866ac97ad1d8bdef3184 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 7 Sep 2021 10:10:14 +0200 Subject: [PATCH 124/127] rule: PRIVATELOG image load --- .../image_load/win_susp_svchost_clfsw32.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/windows/image_load/win_susp_svchost_clfsw32.yml diff --git a/rules/windows/image_load/win_susp_svchost_clfsw32.yml b/rules/windows/image_load/win_susp_svchost_clfsw32.yml new file mode 100644 index 00000000..2a58dabc --- /dev/null +++ b/rules/windows/image_load/win_susp_svchost_clfsw32.yml @@ -0,0 +1,19 @@ +title: APT PRIVATELOG Image Load Pattern +id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc +status: experimental +description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances +references: + - https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html +author: Florian Roth +date: 2021/09/07 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\svchost.exe' + ImageLoaded|endswith: '\clfsw32.dll' + condition: selection +falsepositives: + - Rarely observed +level: high From eef6e71e2ef222bb484602368a146412d9e62a30 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 12:39:56 +0100 Subject: [PATCH 125/127] Update AWS Update Login Profile Rule fields Missed updating field from `responseElements.accessKey.userName` to `requestParameters.userName` on last update. --- rules/cloud/aws/aws_update_login_profile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index 6815fe2f..b4254d07 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/08/09 +date: 2021/09/07 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: @@ -19,7 +19,7 @@ detection: condition: selection_source and not filter fields: - userIdentity.arn - - responseElements.accessKey.userName + - requestParameters.userName - errorCode - errorMessage falsepositives: From be5351947c3c09db92cb2d5b1ad59ae0e03e3361 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 16:36:59 +0100 Subject: [PATCH 126/127] Unset date update Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_update_login_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index b4254d07..d8468d6d 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/09/07 +date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: From 143744bc128b8de17f74b7a5c50ccf4a06cb9a5a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Sep 2021 23:38:07 +0200 Subject: [PATCH 127/127] Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors --- rules/network/zeek/zeek_dns_mining_pools.yml | 8 ++-- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 2 +- ...ke_obfuscation_obfuscated_iex_services.yml | 2 +- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 4 +- .../sysmon_mal_cobaltstrike_re.yml | 38 +++++++++---------- ...hell_invoke_obfuscation_obfuscated_iex.yml | 4 +- ...mon_cobaltstrike_bof_injection_pattern.yml | 4 +- .../win_detecting_fake_instances_of_hxtsr.yml | 2 +- .../win_hiding_malware_in_fonts_folder.yml | 2 +- ...obfuscation_obfuscated_iex_commandline.yml | 4 +- .../win_regedit_import_keys.yml | 2 +- .../win_regedit_import_keys_ads.yml | 2 +- rules/windows/process_creation/win_regini.yml | 2 +- .../process_creation/win_regini_ads.yml | 2 +- ...win_write_protect_for_storage_disabled.yml | 2 +- ...sing_windows_telemetry_for_persistence.yml | 2 +- 16 files changed, 41 insertions(+), 41 deletions(-) diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index c6d11204..7ca14a4f 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -7,9 +7,9 @@ date: 2021/08/19 modified: 2021/08/23 author: Saw Winn Naung, Azure-Sentinel, @neu5ron level: low -logsource: - service: dns - product: zeek +logsource: + service: dns + product: zeek tags: - attack.t1035 # an old one - attack.t1569.002 @@ -93,7 +93,7 @@ detection: - "0.0.0.0" exclude_rejected: rejected: "true" - condition: selection and not (exclude_answers OR exclude_rejected) + condition: selection and not (exclude_answers or exclude_rejected) falsepositives: - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". fields: diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 1690856f..242a62d9 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -44,7 +44,7 @@ detection: - '137' - '138' - '139' - condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) falsepositives: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index aa3cec10..077f3e5c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -16,7 +16,7 @@ detection: - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ImagePath|re: '\*mdr\*\W\s*\)\.Name' + - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' - ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 929ff8cb..68b9041f 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -23,7 +23,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Image|endswith: + Image|endswith: - '\msbuild.exe' - '\cmd.exe' - '\svchost.exe' @@ -53,7 +53,7 @@ detection: Signed: "FALSE" filter: Image|contains: 'Visual Studio' - condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) + condition: (signedprocess and not filter) or (unsignedprocess and not filter) fields: - ComputerName - User diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml index 1ecc14c6..cc18f34d 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -18,25 +18,25 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)' detection: selection: - - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' - - PipeName|re: '\\wkssvc_?[0-9a-f]{2}' - - PipeName|re: '\\ntsvcs[0-9a-f]{2}' - - PipeName|re: '\\DserNamePipe[0-9a-f]{2}' - - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\mypipe\-(?:f|h)[0-9a-f]{2}' - - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}' - - PipeName|re: '\\ntsvcs_[0-9a-f]{2}' - - PipeName|re: '\\scerpc_?[0-9a-f]{2}' - - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}' - - PipeName|re: '\\MsFteWds[0-9a-f]{2}' - - PipeName|re: '\\f4c3[0-9a-f]{2}' - - PipeName|re: '\\fullduplex_[0-9a-f]{2}' - - PipeName|re: '\\msrpc_[0-9a-f]{4}' - - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}' - - PipeName|re: '\\f53f[0-9a-f]{2}' - - PipeName|re: '\\rpc_[0-9a-f]{2}' - - PipeName|re: '\\spoolss_[0-9a-f]{2}' - - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,' + - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' + - PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}' + - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' + - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' + - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' + - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' + - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' + - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' + - PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}' + - PipeName|re: '\\\\MsFteWds[0-9a-f]{2}' + - PipeName|re: '\\\\f4c3[0-9a-f]{2}' + - PipeName|re: '\\\\fullduplex_[0-9a-f]{2}' + - PipeName|re: '\\\\msrpc_[0-9a-f]{4}' + - PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}' + - PipeName|re: '\\\\f53f[0-9a-f]{2}' + - PipeName|re: '\\\\rpc_[0-9a-f]{2}' + - PipeName|re: '\\\\spoolss_[0-9a-f]{2}' + - PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index 9b030a97..94164d37 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -23,7 +23,7 @@ detection: - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name' + - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' selection_3: @@ -33,7 +33,7 @@ detection: - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - Payload|re: '\*mdr\*\W\s*\)\.Name' + - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) diff --git a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index de11db2d..7e59e4fb 100644 --- a/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -1,5 +1,5 @@ title: CobaltStrike BOF Injection Pattern -id: 09706624-b7f6-455d-9d02-adee024cee1d +id: 09706624-b7f6-455d-9d02-adee024cee1d description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes references: - https://github.com/boku7/injectAmsiBypass @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' + CallTrace|re: '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$' GrantedAccess: - '0x1028' - '0x1fffff' diff --git a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml index 1b381614..d5135615 100644 --- a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml @@ -15,7 +15,7 @@ detection: selection: Image: hxtsr.exe filter: - CurrentDirectory|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe' + CurrentDirectory|re: '(?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 6bc345d0..4c44ae87 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -17,7 +17,7 @@ logsource: category: process_creation detection: selection1: - CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' + CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' condition: selection1 fields: - CommandLine diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index cd1a98ae..67ef5719 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -20,9 +20,9 @@ detection: - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - CommandLine|re: '\*mdr\*\W\s*\)\.Name' + - CommandLine|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - CommandLine|re: '\$VerbosePreference\.ToString\(' - - CommandLine|re: '\String\]\s*\$VerbosePreference' + - CommandLine|re: '\\\\String\]\s*\$VerbosePreference' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml index 176da7f7..ff27028a 100644 --- a/rules/windows/process_creation/win_regedit_import_keys.yml +++ b/rules/windows/process_creation/win_regedit_import_keys.yml @@ -25,7 +25,7 @@ detection: - ' /a ' - ' /c ' filter_2: - CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter and not filter_2 fields: - ParentImage diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml index 2d347763..30fac38c 100644 --- a/rules/windows/process_creation/win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml @@ -20,7 +20,7 @@ detection: - ' /i ' - '.reg' selection_2: - CommandLine|re: ':[^ \\]' + CommandLine|re: ':[^ \\\\]' filter: CommandLine|contains: - ' /e ' diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 3f1a340c..3c85a778 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -19,7 +19,7 @@ detection: selection: Image|endswith: '\regini.exe' filter: - CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter fields: - ParentImage diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index 9844421c..3673e52b 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -18,7 +18,7 @@ logsource: detection: selection: Image|endswith: '\regini.exe' - CommandLine|re: ':[^ \\]' + CommandLine|re: ':[^ \\\\]' condition: selection fields: - ParentImage diff --git a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml index 4462da4e..68cbe07d 100644 --- a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*' + CommandLine|re: '(?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write protection.*0.*' condition: selection falsepositives: - none observed diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml index 48ba2bf0..470b8f10 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -38,5 +38,5 @@ logsource: category: process_creation detection: selection: - CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*' + CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*' condition: selection \ No newline at end of file