renamed files: lowercase

2024-11-06 09:25:17 +00:00 · 2021-09-27 22:33:30 +02:00 · 2021-09-27 22:33:30 +02:00 · cee44e6688
commit cee44e6688
parent 97bb6a0257
6 changed files with 191 additions and 0 deletions
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
@ -0,0 +1,26 @@
+title: CVE-2021-1675 Print Spooler Exploitation IPC Access
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
+author: INIT_6
+status: experimental
+level: critical
+references:
+    - https://twitter.com/INIT_3/status/1410662463641731075
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
+date: 2021/07/02
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '5145'
+        ShareName: '\\\*\IPC$'
+        RelativeTargetName: 'spoolss'
+        AccessMask: '0x3'
+        ObjectType: 'File'
+    condition: selection
+falsepositives:
+    - nothing observed so far
--- a/rules/windows/builtin/win_gpo_scheduledtasks.yml
+++ b/rules/windows/builtin/win_gpo_scheduledtasks.yml
@ -0,0 +1,29 @@
+title: Persistence and Execution at Scale via GPO Scheduled Task
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
+description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
+author: Samir Bousseaden
+date: 2019/04/03
+references:
+    - https://twitter.com/menasec1/status/1106899890377052160
+    - https://www.secureworks.com/blog/ransomware-as-a-distraction
+tags:
+    - attack.persistence
+    - attack.lateral_movement
+    - attack.t1053          # an old one
+    - attack.t1053.005
+logsource:
+    product: windows
+    service: security
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection:
+        EventID: 5145
+        ShareName: \\*\SYSVOL
+        RelativeTargetName|endswith: 'ScheduledTasks.xml'
+        Accesses|contains: 
+            - 'WriteData'
+            - '%%4417'
+    condition: selection
+falsepositives:
+    - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
+level: high
--- a/rules/windows/other/win_exchange_transportagent_failed.yml
+++ b/rules/windows/other/win_exchange_transportagent_failed.yml
@ -0,0 +1,25 @@
+title: Failed MSExchange Transport Agent Installation
+id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
+status: experimental
+description: Detects a failed installation of a Exchange Transport Agent
+references:
+    - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+tags:
+    - attack.persistence  
+    - attack.t1505.002    
+author: Tobias Michalski  
+date: 2021/06/08  
+logsource:        
+    service: msexchange-management
+    product: windows
+detection:
+    selection:
+        EventID: 6 
+    keywords:
+        - 'Install-TransportAgent'
+    condition: selection and keywords
+fields:
+    - AssemblyPath
+falsepositives:
+    - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+level: high
--- a/rules/windows/process_creation/process_creation_sdelete.yml
+++ b/rules/windows/process_creation/process_creation_sdelete.yml
@ -0,0 +1,32 @@
+title: Sysinternals SDelete Delete File
+id: a4824fca-976f-4964-b334-0621379e84c4
+status: experimental
+author: frack113
+date: 2021/06/03
+description: Use of SDelete to erase a file not the free space
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
+tags:
+    - attack.impact
+    - attack.t1485
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        OriginalFileName: sdelete.exe
+    filter:
+        CommandLine|contains:
+            - ' -h'
+            - ' -c'
+            - ' -z'
+            - ' /?'
+    condition: selection and not filter
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - System administrator Usage
+level: medium
--- a/rules/windows/process_creation/win_susp_vboxdrvinst.yml
+++ b/rules/windows/process_creation/win_susp_vboxdrvinst.yml
@ -0,0 +1,31 @@
+title: Suspicious VBoxDrvInst.exe Parameters
+id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
+description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers.
+    For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+    - https://twitter.com/pabraeken/status/993497996179492864
+tags:
+    - attack.defense_evasion
+    - attack.t1112
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\VBoxDrvInst.exe'
+        CommandLine|contains|all:
+            - 'driver'
+            - 'executeinf'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
+level: medium
--- a/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml
+++ b/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml
@ -0,0 +1,48 @@
+action: global
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
+status: experimental
+references:
+    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+level: medium
+falsepositives:
+    - Unlikely
+---
+id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    contains_format_pretty_arg:       
+        CommandLine|contains:
+            - 'format:pretty'
+            - 'format:"pretty"'
+            - 'format:"text"'
+            - 'format:text'
+    image_from_system_folder:
+        Image|startswith: 
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+    contains_winrm:
+        CommandLine|contains: 'winrm'
+    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
+---
+id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
+logsource:
+    product: windows
+    category: file_event
+detection:
+    system_files:
+        TargetFilename|endswith: 
+            - 'WsmPty.xsl'
+            - 'WsmTxt.xsl'
+    in_system_folder:
+        TargetFilename|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+    condition: system_files and not in_system_folder