Merge pull request #1732 from SigmaHQ/rule-devel

Relay attack tools and impacket binaries
2024-11-07 09:48:58 +00:00 · 2021-07-24 12:33:48 +02:00 · 2021-07-24 12:33:48 +02:00 · a090feecf5
commit a090feecf5
parent c0bc51e849 3eb37c014c
3 changed files with 116 additions and 1 deletions
--- a/rules/windows/file_event/win_hivenightmare_file_exports.yml
+++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml
@ -3,7 +3,7 @@ id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
 status: experimental
 description: Detects files written by the different tools that exploit HiveNightmare
 author: Florian Roth
-date: 2020/07/23
+date: 2021/07/23
 references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
--- a/rules/windows/process_creation/win_impacket_compiled_tools.yml
+++ b/rules/windows/process_creation/win_impacket_compiled_tools.yml
@ -0,0 +1,71 @@
+title: Impacket Tool Execution
+id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
+description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
+author: Florian Roth
+date: 2021/07/24
+references:
+    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
+tags:
+    - attack.execution
+    - attack.t1557.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|contains: 
+            - '\goldenPac'
+            - '\karmaSMB'
+            - '\kintercept'
+            - '\ntlmrelayx'
+            - '\rpcdump'
+            - '\samrdump'
+            - '\secretsdump'
+            - '\smbexec'
+            - '\smbrelayx'
+            - '\wmiexec'
+            - '\wmipersist'
+        - Image|endswith: 
+            # - '\addcomputer_windows.exe'
+            - '\atexec_windows.exe'
+            - '\dcomexec_windows.exe'
+            - '\dpapi_windows.exe'
+            # - '\esentutl_windows.exe'
+            - '\findDelegation_windows.exe'
+            - '\GetADUsers_windows.exe'
+            # - '\getArch_windows.exe'
+            - '\GetNPUsers_windows.exe'
+            - '\getPac_windows.exe'
+            - '\getST_windows.exe'
+            - '\getTGT_windows.exe'
+            - '\GetUserSPNs_windows.exe'
+            - '\ifmap_windows.exe'
+            # - '\lookupsid_windows.exe'
+            - '\mimikatz_windows.exe'
+            # - '\mqtt_check_windows.exe'
+            # - '\mssqlclient_windows.exe'
+            # - '\mssqlinstance_windows.exe'
+            - '\netview_windows.exe'
+            - '\nmapAnswerMachine_windows.exe'
+            #- '\ntfs-read_windows.exe'
+            - '\opdump_windows.exe'
+            # - '\ping6_windows.exe'
+            # - '\ping_windows.exe'
+            - '\psexec_windows.exe'
+            # - '\raiseChild_windows.exe'
+            - '\rdp_check_windows.exe'
+            #- '\registry-read_windows.exe'
+            #- '\reg_windows.exe'
+            - '\sambaPipe_windows.exe'
+            # - '\services_windows.exe'
+            - '\smbclient_windows.exe'
+            - '\smbserver_windows.exe'
+            - '\sniffer_windows.exe'
+            - '\sniff_windows.exe'
+            - '\split_windows.exe'
+            - '\ticketer_windows.exe'
+            # - '\wmiquery_windows.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of the impacket tools
+level: high
--- a/rules/windows/process_creation/win_tools_relay_attacks.yml
+++ b/rules/windows/process_creation/win_tools_relay_attacks.yml
@ -0,0 +1,44 @@
+title: SMB Relay Attack Tools
+id: 5589ab4f-a767-433c-961d-c91f3f704db1
+description: Detects different hacktools used for relay attacks on Windows for privilege escalation
+author: Florian Roth
+date: 2021/07/24
+references:
+    - https://attack.mitre.org/techniques/T1557/001/
+    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
+    - https://pentestlab.blog/2017/04/13/hot-potato/
+    - https://github.com/ohpe/juicy-potato
+    - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
+    - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
+tags:
+    - attack.execution
+    - attack.t1557.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_pe:
+        Image|contains: 
+            - 'PetitPotam'
+            - 'RottenPotato'
+            - 'HotPotato'
+            - 'JuicyPotato'
+            - '\just_dce_'
+            - 'Juicy Potato'
+            - '\temp\rot.exe'
+            - '\Potato.exe'
+            - '\SpoolSample.exe'
+            - '\Responder.exe'
+            - '\smbrelayx'
+            - '\ntlmrelayx'
+    selection_script:
+        CommandLine|contains:
+            - 'Invoke-Tater'
+            - ' smbrelay'
+            - ' ntlmrelay'
+            - 'cme smb '
+            - ' /ntlm:NTLMhash '
+    condition: selection_pe or selection_script
+falsepositives:
+    - Legitimate files with these rare hacktool names
+level: critical