Detect Ghost-In-The-Logs (disabling/bypassing ETW)

2024-11-07 17:58:52 +00:00 · 2020-04-08 17:57:47 +02:00 · 2020-04-08 17:57:47 +02:00 · e87f2705a7
commit e87f2705a7
parent f50767c400
3 changed files with 99 additions and 0 deletions
--- a/rules/windows/builtin/win_user_driver_loaded.yml
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@ -0,0 +1,38 @@
+title: Possible suspicous kernel driver loaded by user
+id: f63508a0-c809-4435-b3be-ed819394d612
+description: detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
+status: experimental
+references:
+    - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+tags:
+    - attack.t1089
+    - attack.defensive_evasion
+date: 2019/04/08
+author: xknow @xknow_infosec, @xorxes
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_1:
+        EventID: 4673
+        PrivilegeList: 'SeLoadDriverPrivilege'
+        status: 'failure'
+        Service: '-'
+    selection_2:
+        ProcessName|contains:
+            - '*\Windows\System32\Dism.exe'
+            - '*\Windows\System32\rundll32.exe'
+            - '*\Windows\System32\fltMC.exe'
+            - '*\Windows\HelpPane.exe'
+            - '*\Windows\System32\mmc.exe'
+            - '*\Windows\System32\svchost.exe'
+            - '*\Windows\System32\wimserv.exe'
+            - '*\procexp64.exe'
+            - '*\procexp.exe'
+            - '*\procmon64.exe'
+            - '*\procmon.exe'
+    condition: selection_1 and not selection_2
+falsepositives:
+    - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.
+level: Medium
--- a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@ -0,0 +1,28 @@
+title: Suspicious PROCEXP152.sys file created in tmp folder
+id: 3da70954-0f2c-4103-adff-b7440368f50e
+description: detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
+status: experimental
+date: 2019/04/08
+author: xknow @xknow_infosec, @xorxes
+references:
+    - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+tags:
+    - attack.t1089
+    - attack.defensive_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_1:
+        EventID: 11
+        TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys'
+    selection_2:
+        Image|contains:
+            - '*\procexp64.exe'
+            - '*\procexp.exe'
+            - '*\procmon64.exe'
+            - '*\procmon.exe'
+    condition: selection_1 and not selection_2
+falsepositives:
+    - Other legimate tools using this driver and filename (like Sysinternals). Note: Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
+level: Medium
--- a/rules/windows/sysmon/sysmon_susp_service_installed.yml
+++ b/rules/windows/sysmon/sysmon_susp_service_installed.yml
@ -0,0 +1,33 @@
+title: Suspicious Service installed
+id: f2485272-a156-4773-82d7-1d178bc4905b
+description: detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
+status: experimental
+date: 2019/04/08
+author: xknow @xknow_infosec, @xorxes
+references:
+    - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+tags:
+    - attack.t1089
+    - attack.defensive_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_1:
+        EventID: 13
+        TargetObject:
+            - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
+            - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
+    selection_2:
+        Image|contains:
+            - '*\procexp64.exe'
+            - '*\procexp.exe'
+            - '*\procmon64.exe'
+            - '*\procmon.exe'
+    selection_3:
+        Details|contains:
+            - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS'
+    condition: selection_1 and not selection_2 and not selection_3
+falsepositives:
+    - Other legimate tools using this service names and drivers. Note: Clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
+level: Medium