From 961e4eef4c13c2c81fd19bef4a3575e52e9e063d Mon Sep 17 00:00:00 2001 From: grikos Date: Sat, 5 Sep 2020 20:35:21 +0300 Subject: [PATCH] att&ck tags review: windows/process_creation part 6 --- rules/windows/process_creation/win_spn_enum.yml | 2 +- rules/windows/process_creation/win_susp_bcdedit.yml | 2 +- rules/windows/process_creation/win_susp_bginfo.yml | 6 ++++-- rules/windows/process_creation/win_susp_cdb.yml | 8 +++++--- .../process_creation/win_susp_certutil_command.yml | 10 ++++++++-- .../process_creation/win_susp_certutil_encode.yml | 4 ++++ .../process_creation/win_susp_cmd_http_appdata.yml | 6 ++++-- .../process_creation/win_susp_compression_params.yml | 10 ++++++---- .../process_creation/win_susp_comsvcs_procdump.yml | 5 ++++- .../process_creation/win_susp_control_dll_load.yml | 8 +++----- .../win_susp_copy_lateral_movement.yml | 7 +++++-- .../process_creation/win_susp_copy_system32.yml | 2 ++ rules/windows/process_creation/win_susp_covenant.yml | 6 +++--- .../win_susp_crackmapexec_execution.yml | 5 +++-- .../win_susp_crackmapexec_powershell_obfuscation.yml | 7 ++++--- rules/windows/process_creation/win_susp_csc.yml | 7 ++++++- rules/windows/process_creation/win_susp_csc_folder.yml | 3 +-- .../process_creation/win_susp_curl_download.yml | 3 ++- .../process_creation/win_susp_curl_fileupload.yml | 5 +++-- .../process_creation/win_susp_curl_start_combo.yml | 3 +++ 20 files changed, 72 insertions(+), 37 deletions(-) diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 7bc87568..16cf006f 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -8,8 +8,8 @@ author: Markus Neis, keepwatch date: 2018/11/14 tags: - attack.credential_access - - attack.t1208 - attack.t1558.003 + - attack.t1208 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index e87d9a38..a852aa98 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -10,8 +10,8 @@ tags: - attack.defense_evasion - attack.t1070 - attack.persistence - - attack.t1067 - attack.t1542.003 + - attack.t1067 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 03af5d08..885676c0 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -7,11 +7,13 @@ references: - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Beyu Denis, oscd.community date: 2019/10/26 -modified: 2019/11/04 +modified: 2020/09/05 tags: - - attack.defense_evasion - attack.execution + - attack.t1059.005 + - attack.defense_evasion - attack.t1218 + - attack.t1202 level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index ff05f42f..f04df3bc 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -1,17 +1,19 @@ title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: experimental -description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. +description: Launch 64-bit shellcode from a debugger script file using cdb.exe. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html author: Beyu Denis, oscd.community date: 2019/10/26 -modified: 2019/11/04 +modified: 2020/09/05 tags: - - attack.defense_evasion - attack.execution + - attack.t1106 + - attack.defense_evasion - attack.t1218 + - attack.t1127 level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 789ca30b..03d13f66 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -4,8 +4,8 @@ status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility author: Florian Roth, juju4, keepwatch -modified: 2019/01/22 date: 2019/01/16 +modified: 2020/09/05 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 @@ -41,9 +41,15 @@ fields: tags: - attack.defense_evasion - attack.t1140 + - attack.command_and_control - attack.t1105 - - attack.s0189 + - attack.s0160 - attack.g0007 + - attack.g0010 + - attack.g0045 + - attack.g0049 + - attack.g0075 + - attack.g0096 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index 32c3c920..b0d187ed 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -7,6 +7,10 @@ references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ author: Florian Roth date: 2019/02/24 +modified: 2020/09/05 +tags: + - attack.defense_evasion + - attack.t1027 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 64efc023..ddbf7dd1 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -7,11 +7,13 @@ references: - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth date: 2019/01/16 +modified: 2020/09/05 tags: - attack.execution - - attack.t1059 - - attack.t1059.005 + - attack.t1059.003 - attack.t1059.001 + - attack.command_and_control + - attack.t1105 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index cb5a3cc9..e4212245 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -5,12 +5,14 @@ description: Detects suspicious command line arguments of common data compressio references: - https://twitter.com/SBousseaden/status/1184067445612535811 tags: - - attack.exfiltration - - attack.t1020 - - attack.t1002 - - attack.t1560 + - attack.collection + - attack.t1560.001 + - attack.exfiltration # an old one + - attack.t1020 # an old one + - attack.t1002 # an old one author: Florian Roth, Samir Bousseaden date: 2019/10/15 +modified: 2020/09/05 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index be58a43a..56832c75 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/SBousseaden/status/1167417096374050817 author: Modexp (idea) date: 2019/09/02 +modified: 2020/09/05 logsource: category: process_creation product: windows @@ -24,9 +25,11 @@ fields: - CommandLine - ParentCommandLine tags: + - attack.defense_evasion + - attack.t1218.011 - attack.credential_access - - attack.t1003 - attack.t1003.001 + - attack.t1003 # an old one falsepositives: - unknown level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index cc049031..7d8927d8 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -4,15 +4,13 @@ status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth date: 2017/04/15 +modified: 2020/09/05 references: - https://twitter.com/rikvduijn/status/853251879320662017 tags: - attack.defense_evasion - - attack.t1073 - - attack.t1085 - - car.2013-10-002 - - attack.t1218 - - attack.t1574.002 + - attack.t1085 # an old one + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 59b5ec8d..53841c57 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -6,11 +6,14 @@ references: - https://twitter.com/SBousseaden/status/1211636381086339073 author: Florian Roth date: 2019/12/30 +modified: 2020/09/05 tags: - attack.lateral_movement - - attack.t1077 - - attack.t1105 - attack.t1021.002 + - attack.command_and_control + - attack.t1105 + - attack.s0106 + - attack.t1077 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index 9c8f8b41..48de314d 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name author: Florian Roth, Markus Neis date: 2020/07/03 +modified: 2020/09/05 references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 logsource: @@ -11,6 +12,7 @@ logsource: product: windows tags: - attack.defense_evasion + - attack.t1036.003 detection: selection: CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index b73909f7..40fa8950 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -7,9 +7,9 @@ references: author: Florian Roth date: 2020/06/04 tags: - - attack.execution - - attack.t1086 - - attack.t1059.001 + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index 98071a31..b72016d4 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -8,9 +8,10 @@ tags: - attack.execution - attack.t1047 - attack.t1053 - - attack.t1086 - - attack.t1059.003 + - attack.t1059.003 - attack.t1059.001 + - attack.s0106 + - attack.t1086 # an old one author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 20bb2c13..4620e0b8 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -7,10 +7,11 @@ references: - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 tags: - attack.execution - - attack.t1086 - - attack.defense_evasion - - attack.t1027 - attack.t1059.001 + - attack.defense_evasion + - attack.t1027.005 + - attack.t1027 # an old one + - attack.t1086 # an old one author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 808df118..60c5139b 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -6,9 +6,14 @@ references: - https://twitter.com/SBousseaden/status/1094924091256176641 author: Florian Roth date: 2019/02/11 +modified: 2020/09/05 tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 - attack.defense_evasion - - attack.t1036 + - attack.t1500 + - attack.t1218.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 9752e5ff..3e510c6c 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -9,11 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1206874118282448897 author: Florian Roth date: 2019/08/24 -modified: 2019/12/17 +modified: 2020/09/05 tags: - attack.defense_evasion - attack.t1500 - - attack.t1027 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_curl_download.yml b/rules/windows/process_creation/win_susp_curl_download.yml index 9580d77b..197fc6ae 100644 --- a/rules/windows/process_creation/win_susp_curl_download.yml +++ b/rules/windows/process_creation/win_susp_curl_download.yml @@ -4,13 +4,14 @@ status: experimental description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file author: Florian Roth date: 2020/07/03 +modified: 2020/09/05 references: - https://twitter.com/reegun21/status/1222093798009790464 logsource: category: process_creation product: windows tags: - - attack.defense_evasion + - attack.command_and_control - attack.t1105 detection: selection1: diff --git a/rules/windows/process_creation/win_susp_curl_fileupload.yml b/rules/windows/process_creation/win_susp_curl_fileupload.yml index c1b8f104..8284d940 100644 --- a/rules/windows/process_creation/win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/win_susp_curl_fileupload.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a suspicious curl process start the adds a file to a web request author: Florian Roth date: 2020/07/03 +modified: 2020/09/05 references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 @@ -11,8 +12,8 @@ logsource: category: process_creation product: windows tags: - - attack.defense_evasion - - attack.t1105 + - attack.exfiltration + - attack.t1567 detection: selection: Image|endswith: '\curl.exe' diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml index c65cfc27..57092fbb 100644 --- a/rules/windows/process_creation/win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml @@ -6,9 +6,12 @@ references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 author: Sreeman date: 2020/01/13 +modified: 2020/09/05 tags: - attack.execution - attack.t1218 + - attack.command_and_control + - attack.t1105 logsource: category: process_creation product: windows