valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

markdown + analytics regenerated

Browse Source
This commit is contained in:
sn0w0tter 2019-11-21 02:07:40 +01:00
parent 8254d1b486
commit 8ba60aab59
284 changed files with 12385 additions and 8510 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
View File

@ -4,4 +4,4 @@
| Description | Some text description here. It will be merged into one line. |
| Data Needed |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/win_powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |

35
Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
View File

@ -59,6 +59,27 @@ level: critical
### es-qs
```
Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Exploitation-Framework-Detection <<EOF\n{\n "metadata": {\n "title": "Antivirus Exploitation Framework Detection",\n "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework",\n "tags": [\n "attack.execution",\n "attack.t1203",\n "attack.command_and_control",\n "attack.t1219"\n ],\n "query": "Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Antivirus Exploitation Framework Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature.keyword:(*MeteTool* *MPreter* *Meterpreter* *Metasploit* *PowerSploit* *CobaltSrike* *Swrort* *Rozena* *Backdoor.Cobalt*)
```
### splunk
```
@ -66,4 +87,18 @@ level: critical
```
### logpoint
```
Signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*", "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*"]
```
### grep
```
grep -P '^(?:.*.*MeteTool.*|.*.*MPreter.*|.*.*Meterpreter.*|.*.*Metasploit.*|.*.*PowerSploit.*|.*.*CobaltSrike.*|.*.*Swrort.*|.*.*Rozena.*|.*.*Backdoor\\.Cobalt.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
View File

@ -56,6 +56,27 @@ level: critical
### es-qs
```
Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Password-Dumper-Detection <<EOF\n{\n "metadata": {\n "title": "Antivirus Password Dumper Detection",\n "description": "Detects a highly relevant Antivirus alert that reports a password dumper",\n "tags": [\n "attack.credential_access",\n "attack.t1003"\n ],\n "query": "Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Antivirus Password Dumper Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature.keyword:(*DumpCreds* *Mimikatz* *PWCrack* HTool\\/WCE *PSWtool* *PWDump* *SecurityTool* *PShlSpy*)
```
### splunk
```
@ -63,4 +84,18 @@ level: critical
```
### logpoint
```
Signature IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*", "*SecurityTool*", "*PShlSpy*"]
```
### grep
```
grep -P '^(?:.*.*DumpCreds.*|.*.*Mimikatz.*|.*.*PWCrack.*|.*HTool/WCE|.*.*PSWtool.*|.*.*PWDump.*|.*.*SecurityTool.*|.*.*PShlSpy.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
View File

@ -68,6 +68,27 @@ level: high
### es-qs
```
FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\Temp\\\\* OR *\\\\Client\\\\* OR C\\:\\\\PerfLogs\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Relevant-File-Paths-Alerts <<EOF\n{\n "metadata": {\n "title": "Antivirus Relevant File Paths Alerts",\n "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name",\n "tags": "",\n "query": "FileName.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\Client\\\\\\\\* OR C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "FileName.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\Client\\\\\\\\* OR C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Antivirus Relevant File Paths Alerts\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nSignature = {{_source.Signature}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\Temp\\\\* *\\\\Client\\\\* C\\:\\\\PerfLogs\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\* *.ps1 *.vbs *.bat *.chm *.xml *.txt *.jsp *.jspx *.asp *.aspx *.php *.war *.hta *.lnk *.scf *.wsf *.wsh)
```
### splunk
```
@ -75,4 +96,18 @@ level: high
```
### logpoint
```
FileName IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\Temp\\\\*", "*\\\\Client\\\\*", "C:\\\\PerfLogs\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "*.ps1", "*.vbs", "*.bat", "*.chm", "*.xml", "*.txt", "*.jsp", "*.jspx", "*.asp", "*.aspx", "*.php", "*.war", "*.hta", "*.lnk", "*.scf", "*.wsf", "*.wsh"]
```
### grep
```
grep -P '^(?:.*C:\\Windows\\Temp\\\\.*|.*C:\\Temp\\\\.*|.*.*\\\\Client\\\\.*|.*C:\\PerfLogs\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*.*\\.ps1|.*.*\\.vbs|.*.*\\.bat|.*.*\\.chm|.*.*\\.xml|.*.*\\.txt|.*.*\\.jsp|.*.*\\.jspx|.*.*\\.asp|.*.*\\.aspx|.*.*\\.php|.*.*\\.war|.*.*\\.hta|.*.*\\.lnk|.*.*\\.scf|.*.*\\.wsf|.*.*\\.wsh)'
```

35
Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
View File

@ -55,6 +55,27 @@ level: critical
### es-qs
```
Signature.keyword:(PHP\\/Backdoor* OR JSP\\/Backdoor* OR ASP\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Web-Shell-Detection <<EOF\n{\n "metadata": {\n "title": "Antivirus Web Shell Detection",\n "description": "Detects a highly relevant Antivirus alert that reports a web shell",\n "tags": [\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "Signature.keyword:(PHP\\\\/Backdoor* OR JSP\\\\/Backdoor* OR ASP\\\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Signature.keyword:(PHP\\\\/Backdoor* OR JSP\\\\/Backdoor* OR ASP\\\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Antivirus Web Shell Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature.keyword:(PHP\\/Backdoor* JSP\\/Backdoor* ASP\\/Backdoor* Backdoor.PHP* Backdoor.JSP* Backdoor.ASP* *Webshell*)
```
### splunk
```
@ -62,4 +83,18 @@ level: critical
```
### logpoint
```
Signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*", "Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]
```
### grep
```
grep -P '^(?:.*PHP/Backdoor.*|.*JSP/Backdoor.*|.*ASP/Backdoor.*|.*Backdoor\\.PHP.*|.*Backdoor\\.JSP.*|.*Backdoor\\.ASP.*|.*.*Webshell.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
View File

@ -53,6 +53,27 @@ tags:
### es-qs
```
(EventID:"4104" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Data-Compressed <<EOF\n{\n "metadata": {\n "title": "Data Compressed",\n "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",\n "tags": [\n "attack.exfiltration",\n "attack.t1002"\n ],\n "query": "(EventID:\\"4104\\" AND keywords.keyword:*\\\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\\\-Archive*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4104\\" AND keywords.keyword:*\\\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\\\-Archive*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Data Compressed\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4104" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)
```
### splunk
```
@ -60,4 +81,18 @@ tags:
```
### logpoint
```
(event_id="4104" keywords="*-Recurse*" keywords="*|*" keywords="*Compress-Archive*")
```
### grep
```
grep -P '^(?:.*(?=.*4104)(?=.*.*-Recurse.*)(?=.*.*\\|.*)(?=.*.*Compress-Archive.*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
View File

@ -50,6 +50,27 @@ level: medium
### es-qs
```
((EventID:"400" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Downgrade-Attack <<EOF\n{\n "metadata": {\n "title": "PowerShell Downgrade Attack",\n "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0",\n "tags": [\n "attack.defense_evasion",\n "attack.execution",\n "attack.t1086"\n ],\n "query": "((EventID:\\"400\\" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"400\\" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Downgrade Attack\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"400" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))
```
### splunk
```
@ -57,4 +78,18 @@ level: medium
```
### logpoint
```
((event_id="400" EngineVersion="2.*") -(HostVersion="2.*"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*400)(?=.*2\\..*)))(?=.*(?!.*(?:.*(?=.*2\\..*)))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
View File

@ -52,6 +52,27 @@ level: high
### es-qs
```
(EventID:"400" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-called-from-an-Executable-Version-Mismatch <<EOF\n{\n "metadata": {\n "title": "PowerShell called from an Executable Version Mismatch",\n "description": "Detects PowerShell called from an executable by the version mismatch method",\n "tags": [\n "attack.defense_evasion",\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(EventID:\\"400\\" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"400\\" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell called from an Executable Version Mismatch\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"400" AND EngineVersion.keyword:(2.* 4.* 5.*) AND HostVersion.keyword:3.*)
```
### splunk
```
@ -59,4 +80,18 @@ level: high
```
### logpoint
```
(event_id="400" EngineVersion IN ["2.*", "4.*", "5.*"] HostVersion="3.*")
```
### grep
```
grep -P '^(?:.*(?=.*400)(?=.*(?:.*2\\..*|.*4\\..*|.*5\\..*))(?=.*3\\..*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
View File

File diff suppressed because one or more lines are too long

35
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
View File

@ -67,6 +67,27 @@ level: high
### es-qs
```
Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-PowerShell-Keywords <<EOF\n{\n "metadata": {\n "title": "Malicious PowerShell Keywords",\n "description": "Detects keywords from well-known PowerShell exploitation frameworks",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Malicious PowerShell Keywords\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(*AdjustTokenPrivileges* *IMAGE_NT_OPTIONAL_HDR64_MAGIC* *Microsoft.Win32.UnsafeNativeMethods* *ReadProcessMemory.Invoke* *SE_PRIVILEGE_ENABLED* *LSA_UNICODE_STRING* *MiniDumpWriteDump* *PAGE_EXECUTE_READ* *SECURITY_DELEGATION* *TOKEN_ADJUST_PRIVILEGES* *TOKEN_ALL_ACCESS* *TOKEN_ASSIGN_PRIMARY* *TOKEN_DUPLICATE* *TOKEN_ELEVATION* *TOKEN_IMPERSONATE* *TOKEN_INFORMATION_CLASS* *TOKEN_PRIVILEGES* *TOKEN_QUERY* *Metasploit* *Mimikatz*)
```
### splunk
```
@ -74,4 +95,18 @@ level: high
```
### logpoint
```
Message IN ["*AdjustTokenPrivileges*", "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*", "*Microsoft.Win32.UnsafeNativeMethods*", "*ReadProcessMemory.Invoke*", "*SE_PRIVILEGE_ENABLED*", "*LSA_UNICODE_STRING*", "*MiniDumpWriteDump*", "*PAGE_EXECUTE_READ*", "*SECURITY_DELEGATION*", "*TOKEN_ADJUST_PRIVILEGES*", "*TOKEN_ALL_ACCESS*", "*TOKEN_ASSIGN_PRIMARY*", "*TOKEN_DUPLICATE*", "*TOKEN_ELEVATION*", "*TOKEN_IMPERSONATE*", "*TOKEN_INFORMATION_CLASS*", "*TOKEN_PRIVILEGES*", "*TOKEN_QUERY*", "*Metasploit*", "*Mimikatz*"]
```
### grep
```
grep -P '^(?:.*.*AdjustTokenPrivileges.*|.*.*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*|.*.*Microsoft\\.Win32\\.UnsafeNativeMethods.*|.*.*ReadProcessMemory\\.Invoke.*|.*.*SE_PRIVILEGE_ENABLED.*|.*.*LSA_UNICODE_STRING.*|.*.*MiniDumpWriteDump.*|.*.*PAGE_EXECUTE_READ.*|.*.*SECURITY_DELEGATION.*|.*.*TOKEN_ADJUST_PRIVILEGES.*|.*.*TOKEN_ALL_ACCESS.*|.*.*TOKEN_ASSIGN_PRIMARY.*|.*.*TOKEN_DUPLICATE.*|.*.*TOKEN_ELEVATION.*|.*.*TOKEN_IMPERSONATE.*|.*.*TOKEN_INFORMATION_CLASS.*|.*.*TOKEN_PRIVILEGES.*|.*.*TOKEN_QUERY.*|.*.*Metasploit.*|.*.*Mimikatz.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
View File

@ -48,6 +48,27 @@ level: high
### es-qs
```
\\*.keyword:(*set\\-content* AND *\\-stream*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NTFS-Alternate-Data-Stream <<EOF\n{\n "metadata": {\n "title": "NTFS Alternate Data Stream",\n "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.",\n "tags": [\n "attack.defense_evasion",\n "attack.t1096"\n ],\n "query": "\\\\*.keyword:(*set\\\\-content* AND *\\\\-stream*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "\\\\*.keyword:(*set\\\\-content* AND *\\\\-stream*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'NTFS Alternate Data Stream\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
\\*.keyword:(*set\\-content* AND *\\-stream*)
```
### splunk
```
@ -55,4 +76,18 @@ level: high
```
### logpoint
```
("set-content" "-stream")
```
### grep
```
grep -P '^(?:.*(?=.*set-content)(?=.*-stream))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
View File

@ -51,6 +51,27 @@ level: high
### es-qs
```
(EventID:"4104" AND Message.keyword:(*PromptForCredential*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Credential-Prompt <<EOF\n{\n "metadata": {\n "title": "PowerShell Credential Prompt",\n "description": "Detects PowerShell calling a credential prompt",\n "tags": [\n "attack.execution",\n "attack.credential_access",\n "attack.t1086"\n ],\n "query": "(EventID:\\"4104\\" AND Message.keyword:(*PromptForCredential*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4104\\" AND Message.keyword:(*PromptForCredential*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Credential Prompt\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4104" AND Message.keyword:(*PromptForCredential*))
```
### splunk
```
@ -58,4 +79,18 @@ level: high
```
### logpoint
```
(event_id="4104" Message IN ["*PromptForCredential*"])
```
### grep
```
grep -P '^(?:.*(?=.*4104)(?=.*(?:.*.*PromptForCredential.*)))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
View File

@ -48,6 +48,27 @@ level: high
### es-qs
```
(EventID:"4103" AND "PS\\ ATTACK\\!\\!\\!")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-PSAttack <<EOF\n{\n "metadata": {\n "title": "PowerShell PSAttack",\n "description": "Detects the use of PSAttack PowerShell hack tool",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(EventID:\\"4103\\" AND \\"PS\\\\ ATTACK\\\\!\\\\!\\\\!\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4103\\" AND \\"PS\\\\ ATTACK\\\\!\\\\!\\\\!\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell PSAttack\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4103" AND "PS ATTACK\\!\\!\\!")
```
### splunk
```
@ -55,4 +76,18 @@ level: high
```
### logpoint
```
(event_id="4103" "PS ATTACK!!!")
```
### grep
```
grep -P '^(?:.*(?=.*4103)(?=.*PS ATTACK!!!))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
View File

@ -54,6 +54,27 @@ level: critical
### es-qs
```
((EventID:"4104" AND "*AAAAYInlM*") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-ShellCode <<EOF\n{\n "metadata": {\n "title": "PowerShell ShellCode",\n "description": "Detects Base64 encoded Shellcode",\n "tags": [\n "attack.privilege_escalation",\n "attack.execution",\n "attack.t1055",\n "attack.t1086"\n ],\n "query": "((EventID:\\"4104\\" AND \\"*AAAAYInlM*\\") AND \\\\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"4104\\" AND \\"*AAAAYInlM*\\") AND \\\\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell ShellCode\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"4104" AND "*AAAAYInlM*") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
```
### splunk
```
@ -61,4 +82,18 @@ level: critical
```
### logpoint
```
((event_id="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*4104)(?=.*.*AAAAYInlM.*)))(?=.*(?:.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
View File

@ -45,6 +45,27 @@ level: medium
### es-qs
```
Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* OR *system.net.webclient\\).downloadfile\\(*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Download <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Download",\n "description": "Detects suspicious PowerShell download command",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Download\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* *system.net.webclient\\).downloadfile\\(*)
```
### splunk
```
@ -52,4 +73,18 @@ level: medium
```
### logpoint
```
Message IN ["*System.Net.WebClient).DownloadString(*", "*system.net.webclient).downloadfile(*"]
```
### grep
```
grep -P '^(?:.*.*System\\.Net\\.WebClient\\)\\.DownloadString\\(.*|.*.*system\\.net\\.webclient\\)\\.downloadfile\\(.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
View File

@ -53,6 +53,27 @@ level: high
### es-qs
```
(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-\\ windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Invocations---Generic <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Invocations - Generic",\n "description": "Detects suspicious PowerShell invocation command parameters",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Generic\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(\\*.keyword:(* \\-enc * OR * \\-EncodedCommand *) AND \\*.keyword:(* \\-w hidden * OR * \\-window hidden * OR * \\- windowstyle hidden *) AND \\*.keyword:(* \\-noni * OR * \\-noninteractive *))
```
### splunk
```
@ -60,4 +81,18 @@ level: high
```
### logpoint
```
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* - windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
View File

@ -49,6 +49,27 @@ level: high
### es-qs
```
Message.keyword:(*\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String* OR *\\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\"iex\\(New\\-Object* OR *\\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc* OR *powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* OR *bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download* OR *iex\\(New\\-Object\\ Net.WebClient\\).Download*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Invocations---Specific <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Invocations - Specific",\n "description": "Detects suspicious PowerShell invocation command parameters",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "Message.keyword:(*\\\\ \\\\-nop\\\\ \\\\-w\\\\ hidden\\\\ \\\\-c\\\\ *\\\\ \\\\[Convert\\\\]\\\\:\\\\:FromBase64String* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-noni\\\\ \\\\-nop\\\\ \\\\-c\\\\ \\\\\\"iex\\\\(New\\\\-Object* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-ep\\\\ bypass\\\\ \\\\-Enc* OR *powershell.exe\\\\ reg\\\\ add\\\\ HKCU\\\\\\\\software\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\currentversion\\\\\\\\run* OR *bypass\\\\ \\\\-noprofile\\\\ \\\\-windowstyle\\\\ hidden\\\\ \\\\(new\\\\-object\\\\ system.net.webclient\\\\).download* OR *iex\\\\(New\\\\-Object\\\\ Net.WebClient\\\\).Download*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*\\\\ \\\\-nop\\\\ \\\\-w\\\\ hidden\\\\ \\\\-c\\\\ *\\\\ \\\\[Convert\\\\]\\\\:\\\\:FromBase64String* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-noni\\\\ \\\\-nop\\\\ \\\\-c\\\\ \\\\\\"iex\\\\(New\\\\-Object* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-ep\\\\ bypass\\\\ \\\\-Enc* OR *powershell.exe\\\\ reg\\\\ add\\\\ HKCU\\\\\\\\software\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\currentversion\\\\\\\\run* OR *bypass\\\\ \\\\-noprofile\\\\ \\\\-windowstyle\\\\ hidden\\\\ \\\\(new\\\\-object\\\\ system.net.webclient\\\\).download* OR *iex\\\\(New\\\\-Object\\\\ Net.WebClient\\\\).Download*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Specific\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(* \\-nop \\-w hidden \\-c * \\[Convert\\]\\:\\:FromBase64String* * \\-w hidden \\-noni \\-nop \\-c \\"iex\\(New\\-Object* * \\-w hidden \\-ep bypass \\-Enc* *powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* *bypass \\-noprofile \\-windowstyle hidden \\(new\\-object system.net.webclient\\).download* *iex\\(New\\-Object Net.WebClient\\).Download*)
```
### splunk
```
@ -56,4 +77,18 @@ level: high
```
### logpoint
```
Message IN ["* -nop -w hidden -c * [Convert]::FromBase64String*", "* -w hidden -noni -nop -c \\"iex(New-Object*", "* -w hidden -ep bypass -Enc*", "*powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run*", "*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*", "*iex(New-Object Net.WebClient).Download*"]
```
### grep
```
grep -P \'^(?:.*.* -nop -w hidden -c .* \\[Convert\\]::FromBase64String.*|.*.* -w hidden -noni -nop -c "iex\\(New-Object.*|.*.* -w hidden -ep bypass -Enc.*|.*.*powershell\\.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run.*|.*.*bypass -noprofile -windowstyle hidden \\(new-object system\\.net\\.webclient\\)\\.download.*|.*.*iex\\(New-Object Net\\.WebClient\\)\\.Download.*)\'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
View File

@ -48,6 +48,27 @@ level: high
### es-qs
```
Message.keyword:(*\\[System.Reflection.Assembly\\]\\:\\:Load*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Keywords <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Keywords",\n "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "Message.keyword:(*\\\\[System.Reflection.Assembly\\\\]\\\\:\\\\:Load*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*\\\\[System.Reflection.Assembly\\\\]\\\\:\\\\:Load*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Keywords\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(*\\[System.Reflection.Assembly\\]\\:\\:Load*)
```
### splunk
```
@ -55,4 +76,18 @@ level: high
```
### logpoint
```
Message IN ["*[System.Reflection.Assembly]::Load*"]
```
### grep
```
grep -P '^(?:.*.*\\[System\\.Reflection\\.Assembly\\]::Load.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
View File

@ -56,6 +56,27 @@ tags:
### es-qs
```
(EventID:"4104" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND "*CurrentVersion\\\\Winlogon*")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Winlogon-Helper-DLL <<EOF\n{\n "metadata": {\n "title": "Winlogon Helper DLL",\n "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\\\Software[Wow6432Node]Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\ and HKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.",\n "tags": [\n "attack.persistence",\n "attack.t1004"\n ],\n "query": "(EventID:\\"4104\\" AND \\\\*.keyword:(*Set\\\\-ItemProperty* OR *New\\\\-Item*) AND \\"*CurrentVersion\\\\\\\\Winlogon*\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4104\\" AND \\\\*.keyword:(*Set\\\\-ItemProperty* OR *New\\\\-Item*) AND \\"*CurrentVersion\\\\\\\\Winlogon*\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Winlogon Helper DLL\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4104" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND "*CurrentVersion\\\\Winlogon*")
```
### splunk
```
@ -63,4 +84,18 @@ tags:
```
### logpoint
```
(event_id="4104" ("*Set-ItemProperty*" OR "*New-Item*") "*CurrentVersion\\\\Winlogon*")
```
### grep
```
grep -P '^(?:.*(?=.*4104)(?=.*(?:.*(?:.*.*Set-ItemProperty.*|.*.*New-Item.*)))(?=.*.*CurrentVersion\\Winlogon.*))'
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/0xrawsec/status/1002478725605273600?s=21](https://twitter.com/0xrawsec/status/1002478725605273600?s=21)</li></ul> |
| Author | Florian Roth, @0xrawsec |
| Other Tags | <ul><li>attack.s0139</li><li>attack.s0139</li></ul> |
| Other Tags | <ul><li>attack.s0139</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: Executable in ADS
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
@ -70,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"15" AND NOT (Imphash:"00000000000000000000000000000000"))
(EventID:"15" AND (NOT (Imphash:"00000000000000000000000000000000")))
```
@ -84,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="15" -(Imphash="00000000000000000000000000000000"))
(event_id="15" -(Imphash="00000000000000000000000000000000"))
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
View File

@ -19,12 +19,13 @@
```
title: CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
- https://twitter.com/SBousseaden/status/1090588499517079552
- https://github.com/mdsecactivebreach/CACTUSTORCH
status: experimental
author: "@SBousseaden (detection), Thomas Patzke (rule)"
author: '@SBousseaden (detection), Thomas Patzke (rule)'
logsource:
product: windows
service: sysmon
@ -71,7 +72,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"8" AND SourceImage:("*\\\\System32\\\\cscript.exe" "*\\\\System32\\\\wscript.exe" "*\\\\System32\\\\mshta.exe" "*\\\\winword.exe" "*\\\\excel.exe") AND TargetImage:"*\\\\SysWOW64\\\\*" AND NOT _exists_:StartModule)
(EventID:"8" AND SourceImage.keyword:(*\\\\System32\\\\cscript.exe *\\\\System32\\\\wscript.exe *\\\\System32\\\\mshta.exe *\\\\winword.exe *\\\\excel.exe) AND TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:StartModule)
```
@ -85,7 +86,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="8" SourceImage IN ["*\\\\System32\\\\cscript.exe", "*\\\\System32\\\\wscript.exe", "*\\\\System32\\\\mshta.exe", "*\\\\winword.exe", "*\\\\excel.exe"] TargetImage="*\\\\SysWOW64\\\\*" -StartModule=*)
(event_id="8" SourceImage IN ["*\\\\System32\\\\cscript.exe", "*\\\\System32\\\\wscript.exe", "*\\\\System32\\\\mshta.exe", "*\\\\winword.exe", "*\\\\excel.exe"] TargetImage="*\\\\SysWOW64\\\\*" -StartModule=*)
```

10
Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul> |
| Data Needed | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul> |
| Severity Level | high |
@ -11,16 +11,16 @@
| Development Status | stable |
| References | <ul><li>[http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/](http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/)</li></ul> |
| Author | Nik Seetharaman |
| Other Tags | <ul><li>attack.g0069</li><li>attack.g0069</li><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> |
| Other Tags | <ul><li>attack.g0069</li><li>car.2019-04-001</li></ul> |
## Detection Rules
### Sigma rule
```
---
action: global
title: CMSTP Execution
id: 9d26fede-b526-4413-b069-6e24b6d07167
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
@ -89,7 +89,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
((EventID:"12" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"13" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"10" AND CallTrace:"*cmlua.dll*"))\nParentImage:"*\\\\cmstp.exe"
((EventID:"12" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"13" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"10" AND CallTrace.keyword:*cmlua.dll*))\nParentImage.keyword:*\\\\cmstp.exe
```
@ -103,7 +103,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
((EventID="12" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="13" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="10" CallTrace="*cmlua.dll*"))\nParentImage="*\\\\cmstp.exe"
((event_id="12" TargetObject="*\\\\cmmgr32.exe*") OR (event_id="13" TargetObject="*\\\\cmmgr32.exe*") OR (event_id="10" CallTrace="*cmlua.dll*"))\n(event_id="1" ParentImage="*\\\\cmstp.exe")
```

31
Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
View File

@ -9,8 +9,8 @@
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li></ul> |
| Author | Olaf Hartong, Florian Roth |
| References | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li><li>[https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/](https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/)</li></ul> |
| Author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
## Detection Rules
@ -18,22 +18,29 @@
### Sigma rule
```
title: CobaltStrike Process Injection
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
title: CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
tags:
- attack.defense_evasion
- attack.t1055
status: experimental
author: Olaf Hartong, Florian Roth
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2019/11/08
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetProcessAddress: '*0B80'
TargetProcessAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'
condition: selection
falsepositives:
- unknown
@ -49,42 +56,42 @@ level: high
### es-qs
```
(EventID:"8" AND TargetProcessAddress.keyword:*0B80)
(EventID:"8" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CobaltStrike-Process-Injection <<EOF\n{\n "metadata": {\n "title": "CobaltStrike Process Injection",\n "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",\n "tags": [\n "attack.defense_evasion",\n "attack.t1055"\n ],\n "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:*0B80)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:*0B80)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'CobaltStrike Process Injection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CobaltStrike-Process-Injection <<EOF\n{\n "metadata": {\n "title": "CobaltStrike Process Injection",\n "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",\n "tags": [\n "attack.defense_evasion",\n "attack.t1055"\n ],\n "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'CobaltStrike Process Injection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"8" AND TargetProcessAddress:"*0B80")
(EventID:"8" AND TargetProcessAddress.keyword:(*0B80 *0C7C *0C88))
```
### splunk
```
(EventID="8" TargetProcessAddress="*0B80")
(EventID="8" (TargetProcessAddress="*0B80" OR TargetProcessAddress="*0C7C" OR TargetProcessAddress="*0C88"))
```
### logpoint
```
(EventID="8" TargetProcessAddress="*0B80")
(event_id="8" TargetProcessAddress IN ["*0B80", "*0C7C", "*0C88"])
```
### grep
```
grep -P '^(?:.*(?=.*8)(?=.*.*0B80))'
grep -P '^(?:.*(?=.*8)(?=.*(?:.*.*0B80|.*.*0C7C|.*.*0C88)))'
```

8
Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md
View File

@ -19,8 +19,10 @@
```
title: DHCP Callout DLL installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: experimental
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the
DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
@ -68,7 +70,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls" "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"))
(EventID:"13" AND TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))
```
@ -82,7 +84,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls", "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"])
(event_id="13" TargetObject IN ["*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls", "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"])
```

9
Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
View File

@ -18,11 +18,12 @@
### Sigma rule
```
---
action: global
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
(restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine:"dnscmd.exe \\/config \\/serverlevelplugindll *"
(EventID:"13" AND TargetObject.keyword:*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll)\nCommandLine.keyword:dnscmd.exe \\/config \\/serverlevelplugindll *
```
@ -94,7 +95,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine="dnscmd.exe /config /serverlevelplugindll *"
(event_id="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\n(event_id="1" CommandLine="dnscmd.exe /config /serverlevelplugindll *")
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md
View File

@ -19,6 +19,7 @@
```
title: Detection of SafetyKatz
id: e074832a-eada-4fd7-94a1-10642b130e16
status: experimental
description: Detects possible SafetyKatz Behaviour
references:
@ -63,7 +64,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"11" AND TargetFilename:"*\\\\Temp\\\\debug.bin")
(EventID:"11" AND TargetFilename.keyword:*\\\\Temp\\\\debug.bin)
```
@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="11" TargetFilename="*\\\\Temp\\\\debug.bin")
(event_id="11" TargetFilename="*\\\\Temp\\\\debug.bin")
```

71
Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
View File

File diff suppressed because one or more lines are too long

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html)</li></ul> |
| Author | Samir Bousseaden |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li></ul> |
| Other Tags | <ul><li>attack.s0002</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: LSASS Memory Dump
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: experimental
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
author: Samir Bousseaden
@ -67,7 +68,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1fffff" AND CallTrace:("*dbghelp.dll*" "*dbgcore.dll*"))
(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1fffff" AND CallTrace.keyword:(*dbghelp.dll* *dbgcore.dll*))
```
@ -81,7 +82,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1fffff" CallTrace IN ["*dbghelp.dll*", "*dbgcore.dll*"])
(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1fffff" CallTrace IN ["*dbghelp.dll*", "*dbgcore.dll*"])
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
View File

@ -3,7 +3,7 @@
| Description | Detects the creation of a named pipe used by known APT malware |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | critical |
@ -19,6 +19,7 @@
```
title: Malicious Named Pipe
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: experimental
description: Detects the creation of a named pipe used by known APT malware
references:
@ -82,7 +83,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:("17" "18") AND PipeName:("\\\\isapi_http" "\\\\isapi_dg" "\\\\isapi_dg2" "\\\\sdlrpc" "\\\\ahexec" "\\\\winsession" "\\\\lsassw" "\\\\46a676ab7f179e511e30dd2dc41bd388" "\\\\9f81f59bc58452127884ce513865ed20" "\\\\e710f28d59aa529d6792ca6ff0ca1b34" "\\\\rpchlp_3" "\\\\NamePipe_MoreWindows" "\\\\pcheap_reuse" "\\\\msagent_*"))
(EventID:("17" "18") AND PipeName.keyword:(\\\\isapi_http \\\\isapi_dg \\\\isapi_dg2 \\\\sdlrpc \\\\ahexec \\\\winsession \\\\lsassw \\\\46a676ab7f179e511e30dd2dc41bd388 \\\\9f81f59bc58452127884ce513865ed20 \\\\e710f28d59aa529d6792ca6ff0ca1b34 \\\\rpchlp_3 \\\\NamePipe_MoreWindows \\\\pcheap_reuse \\\\msagent_*))
```
@ -96,7 +97,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID IN ["17", "18"] PipeName IN ["\\\\isapi_http", "\\\\isapi_dg", "\\\\isapi_dg2", "\\\\sdlrpc", "\\\\ahexec", "\\\\winsession", "\\\\lsassw", "\\\\46a676ab7f179e511e30dd2dc41bd388", "\\\\9f81f59bc58452127884ce513865ed20", "\\\\e710f28d59aa529d6792ca6ff0ca1b34", "\\\\rpchlp_3", "\\\\NamePipe_MoreWindows", "\\\\pcheap_reuse", "\\\\msagent_*"])
(event_id IN ["17", "18"] PipeName IN ["\\\\isapi_http", "\\\\isapi_dg", "\\\\isapi_dg2", "\\\\sdlrpc", "\\\\ahexec", "\\\\winsession", "\\\\lsassw", "\\\\46a676ab7f179e511e30dd2dc41bd388", "\\\\9f81f59bc58452127884ce513865ed20", "\\\\e710f28d59aa529d6792ca6ff0ca1b34", "\\\\rpchlp_3", "\\\\NamePipe_MoreWindows", "\\\\pcheap_reuse", "\\\\msagent_*"])
```

14
Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md
View File

@ -19,6 +19,7 @@
```
title: Suspicious Typical Malware Back Connect Ports
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
status: experimental
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
references:
@ -35,6 +36,7 @@ logsource:
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationPort:
- '4443'
- '2448'
@ -124,42 +126,42 @@ level: medium
### es-qs
```
((EventID:"3" AND DestinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((Image.keyword:*\\\\Program\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
((EventID:"3" AND Initiated:"true" AND DestinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((Image.keyword:*\\\\Program\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Typical-Malware-Back-Connect-Ports <<EOF\n{\n "metadata": {\n "title": "Suspicious Typical Malware Back Connect Ports",\n "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases",\n "tags": [\n "attack.command_and_control",\n "attack.t1043"\n ],\n "query": "((EventID:\\"3\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Typical Malware Back Connect Ports\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Typical-Malware-Back-Connect-Ports <<EOF\n{\n "metadata": {\n "title": "Suspicious Typical Malware Back Connect Ports",\n "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases",\n "tags": [\n "attack.command_and_control",\n "attack.t1043"\n ],\n "query": "((EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Typical Malware Back Connect Ports\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND NOT ((Image:"*\\\\Program Files*" OR (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*") AND DestinationIsIpv6:"false"))))
((EventID:"3" AND Initiated:"true" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND (NOT ((Image.keyword:*\\\\Program Files* OR (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*) AND DestinationIsIpv6:"false")))))
```
### splunk
```
((EventID="3" (DestinationPort="4443" OR DestinationPort="2448" OR DestinationPort="8143" OR DestinationPort="1777" OR DestinationPort="1443" OR DestinationPort="243" OR DestinationPort="65535" OR DestinationPort="13506" OR DestinationPort="3360" OR DestinationPort="200" OR DestinationPort="198" OR DestinationPort="49180" OR DestinationPort="13507" OR DestinationPort="6625" OR DestinationPort="4444" OR DestinationPort="4438" OR DestinationPort="1904" OR DestinationPort="13505" OR DestinationPort="13504" OR DestinationPort="12102" OR DestinationPort="9631" OR DestinationPort="5445" OR DestinationPort="2443" OR DestinationPort="777" OR DestinationPort="13394" OR DestinationPort="13145" OR DestinationPort="12103" OR DestinationPort="5552" OR DestinationPort="3939" OR DestinationPort="3675" OR DestinationPort="666" OR DestinationPort="473" OR DestinationPort="5649" OR DestinationPort="4455" OR DestinationPort="4433" OR DestinationPort="1817" OR DestinationPort="100" OR DestinationPort="65520" OR DestinationPort="1960" OR DestinationPort="1515" OR DestinationPort="743" OR DestinationPort="700" OR DestinationPort="14154" OR DestinationPort="14103" OR DestinationPort="14102" OR DestinationPort="12322" OR DestinationPort="10101" OR DestinationPort="7210" OR DestinationPort="4040" OR DestinationPort="9943")) NOT ((Image="*\\\\Program Files*" OR ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*") DestinationIsIpv6="false"))))
((EventID="3" Initiated="true" (DestinationPort="4443" OR DestinationPort="2448" OR DestinationPort="8143" OR DestinationPort="1777" OR DestinationPort="1443" OR DestinationPort="243" OR DestinationPort="65535" OR DestinationPort="13506" OR DestinationPort="3360" OR DestinationPort="200" OR DestinationPort="198" OR DestinationPort="49180" OR DestinationPort="13507" OR DestinationPort="6625" OR DestinationPort="4444" OR DestinationPort="4438" OR DestinationPort="1904" OR DestinationPort="13505" OR DestinationPort="13504" OR DestinationPort="12102" OR DestinationPort="9631" OR DestinationPort="5445" OR DestinationPort="2443" OR DestinationPort="777" OR DestinationPort="13394" OR DestinationPort="13145" OR DestinationPort="12103" OR DestinationPort="5552" OR DestinationPort="3939" OR DestinationPort="3675" OR DestinationPort="666" OR DestinationPort="473" OR DestinationPort="5649" OR DestinationPort="4455" OR DestinationPort="4433" OR DestinationPort="1817" OR DestinationPort="100" OR DestinationPort="65520" OR DestinationPort="1960" OR DestinationPort="1515" OR DestinationPort="743" OR DestinationPort="700" OR DestinationPort="14154" OR DestinationPort="14103" OR DestinationPort="14102" OR DestinationPort="12322" OR DestinationPort="10101" OR DestinationPort="7210" OR DestinationPort="4040" OR DestinationPort="9943")) NOT ((Image="*\\\\Program Files*" OR ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*") DestinationIsIpv6="false"))))
```
### logpoint
```
((EventID="3" DestinationPort IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"]) -((Image="*\\\\Program Files*" OR (DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"] DestinationIsIpv6="false"))))
((event_id="3" Initiated="true" DestinationPort IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"]) -((Image="*\\\\Program Files*" OR (DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"] DestinationIsIpv6="false"))))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*(?:.*4443|.*2448|.*8143|.*1777|.*1443|.*243|.*65535|.*13506|.*3360|.*200|.*198|.*49180|.*13507|.*6625|.*4444|.*4438|.*1904|.*13505|.*13504|.*12102|.*9631|.*5445|.*2443|.*777|.*13394|.*13145|.*12103|.*5552|.*3939|.*3675|.*666|.*473|.*5649|.*4455|.*4433|.*1817|.*100|.*65520|.*1960|.*1515|.*743|.*700|.*14154|.*14103|.*14102|.*12322|.*10101|.*7210|.*4040|.*9943))))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\Program Files.*|.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))(?=.*false))))))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*true)(?=.*(?:.*4443|.*2448|.*8143|.*1777|.*1443|.*243|.*65535|.*13506|.*3360|.*200|.*198|.*49180|.*13507|.*6625|.*4444|.*4438|.*1904|.*13505|.*13504|.*12102|.*9631|.*5445|.*2443|.*777|.*13394|.*13145|.*12103|.*5552|.*3939|.*3675|.*666|.*473|.*5649|.*4455|.*4433|.*1817|.*100|.*65520|.*1960|.*1515|.*743|.*700|.*14154|.*14103|.*14102|.*12322|.*10101|.*7210|.*4040|.*9943))))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\Program Files.*|.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))(?=.*false))))))))'
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md
View File

@ -19,6 +19,7 @@
```
title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
((EventID:"10" AND TargetImage:"*\\\\verclsid.exe" AND GrantedAccess:"0x1FFFFF") AND (CallTrace:"*|UNKNOWN\\(*VBE7.DLL*" OR (SourceImage:"*\\\\Microsoft Office\\\\*" AND CallTrace:"*|UNKNOWN*")))
((EventID:"10" AND TargetImage.keyword:*\\\\verclsid.exe AND GrantedAccess:"0x1FFFFF") AND (CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\Microsoft Office\\\\* AND CallTrace.keyword:*|UNKNOWN*)))
```
@ -87,7 +88,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
((EventID="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
((event_id="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
```

8
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow)</li><li>[https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> |
| Other Tags | <ul><li>attack.s0002</li><li>car.2019-04-004</li></ul> |
## Detection Rules
@ -19,8 +19,10 @@
```
title: Mimikatz Detection LSASS Access
id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
status: experimental
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
versions", 0x0010 PROCESS_VM_READ)
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@ -81,7 +83,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess IN ["0x1410", "0x1010"])
(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess IN ["0x1410", "0x1010"])
```

3
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/](https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> |
| Other Tags | <ul><li>attack.s0002</li><li>car.2019-04-004</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: Mimikatz In-Memory
id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e
status: experimental
description: Detects certain DLL loads when Mimikatz gets executed
references:

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md
View File

@ -11,14 +11,15 @@
| Development Status | stable |
| References | <ul><li>[https://pentestlab.blog/2018/05/15/lateral-movement-winrm/](https://pentestlab.blog/2018/05/15/lateral-movement-winrm/)</li></ul> |
| Author | Patryk Prauze - ING Tech |
| Other Tags | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> |
| Other Tags | <ul><li>attack.s0005</li></ul> |
## Detection Rules
### Sigma rule
```
title: Mimikatz through Windows Remote Management
title: Mimikatz through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" SourceImage="C:\\\\Windows\\\\system32\\\\wsmprovhost.exe")
(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" SourceImage="C:\\\\Windows\\\\system32\\\\wsmprovhost.exe")
```

10
Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
View File

@ -11,15 +11,17 @@
| Development Status | stable |
| References | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm)</li></ul> |
| Author | Thomas Patzke |
| Other Tags | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> |
| Other Tags | <ul><li>attack.s0005</li></ul> |
## Detection Rules
### Sigma rule
```
title: Password Dumper Remote Thread in LSASS
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
@ -78,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" -StartModule=*)
(event_id="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" -StartModule=*)
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md
View File

@ -19,6 +19,7 @@
```
title: Malicious PowerShell Commandlet Names
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
status: experimental
description: Detects the creation of known powershell scripts for exploitation
references:
@ -159,7 +160,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"11" AND TargetFilename:("*\\\\Invoke\\-DllInjection.ps1" "*\\\\Invoke\\-WmiCommand.ps1" "*\\\\Get\\-GPPPassword.ps1" "*\\\\Get\\-Keystrokes.ps1" "*\\\\Get\\-VaultCredential.ps1" "*\\\\Invoke\\-CredentialInjection.ps1" "*\\\\Invoke\\-Mimikatz.ps1" "*\\\\Invoke\\-NinjaCopy.ps1" "*\\\\Invoke\\-TokenManipulation.ps1" "*\\\\Out\\-Minidump.ps1" "*\\\\VolumeShadowCopyTools.ps1" "*\\\\Invoke\\-ReflectivePEInjection.ps1" "*\\\\Get\\-TimedScreenshot.ps1" "*\\\\Invoke\\-UserHunter.ps1" "*\\\\Find\\-GPOLocation.ps1" "*\\\\Invoke\\-ACLScanner.ps1" "*\\\\Invoke\\-DowngradeAccount.ps1" "*\\\\Get\\-ServiceUnquoted.ps1" "*\\\\Get\\-ServiceFilePermission.ps1" "*\\\\Get\\-ServicePermission.ps1" "*\\\\Invoke\\-ServiceAbuse.ps1" "*\\\\Install\\-ServiceBinary.ps1" "*\\\\Get\\-RegAutoLogon.ps1" "*\\\\Get\\-VulnAutoRun.ps1" "*\\\\Get\\-VulnSchTask.ps1" "*\\\\Get\\-UnattendedInstallFile.ps1" "*\\\\Get\\-WebConfig.ps1" "*\\\\Get\\-ApplicationHost.ps1" "*\\\\Get\\-RegAlwaysInstallElevated.ps1" "*\\\\Get\\-Unconstrained.ps1" "*\\\\Add\\-RegBackdoor.ps1" "*\\\\Add\\-ScrnSaveBackdoor.ps1" "*\\\\Gupt\\-Backdoor.ps1" "*\\\\Invoke\\-ADSBackdoor.ps1" "*\\\\Enabled\\-DuplicateToken.ps1" "*\\\\Invoke\\-PsUaCme.ps1" "*\\\\Remove\\-Update.ps1" "*\\\\Check\\-VM.ps1" "*\\\\Get\\-LSASecret.ps1" "*\\\\Get\\-PassHashes.ps1" "*\\\\Show\\-TargetScreen.ps1" "*\\\\Port\\-Scan.ps1" "*\\\\Invoke\\-PoshRatHttp.ps1" "*\\\\Invoke\\-PowerShellTCP.ps1" "*\\\\Invoke\\-PowerShellWMI.ps1" "*\\\\Add\\-Exfiltration.ps1" "*\\\\Add\\-Persistence.ps1" "*\\\\Do\\-Exfiltration.ps1" "*\\\\Start\\-CaptureServer.ps1" "*\\\\Invoke\\-ShellCode.ps1" "*\\\\Get\\-ChromeDump.ps1" "*\\\\Get\\-ClipboardContents.ps1" "*\\\\Get\\-FoxDump.ps1" "*\\\\Get\\-IndexedItem.ps1" "*\\\\Get\\-Screenshot.ps1" "*\\\\Invoke\\-Inveigh.ps1" "*\\\\Invoke\\-NetRipper.ps1" "*\\\\Invoke\\-EgressCheck.ps1" "*\\\\Invoke\\-PostExfil.ps1" "*\\\\Invoke\\-PSInject.ps1" "*\\\\Invoke\\-RunAs.ps1" "*\\\\MailRaider.ps1" "*\\\\New\\-HoneyHash.ps1" "*\\\\Set\\-MacAttribute.ps1" "*\\\\Invoke\\-DCSync.ps1" "*\\\\Invoke\\-PowerDump.ps1" "*\\\\Exploit\\-Jboss.ps1" "*\\\\Invoke\\-ThunderStruck.ps1" "*\\\\Invoke\\-VoiceTroll.ps1" "*\\\\Set\\-Wallpaper.ps1" "*\\\\Invoke\\-InveighRelay.ps1" "*\\\\Invoke\\-PsExec.ps1" "*\\\\Invoke\\-SSHCommand.ps1" "*\\\\Get\\-SecurityPackages.ps1" "*\\\\Install\\-SSP.ps1" "*\\\\Invoke\\-BackdoorLNK.ps1" "*\\\\PowerBreach.ps1" "*\\\\Get\\-SiteListPassword.ps1" "*\\\\Get\\-System.ps1" "*\\\\Invoke\\-BypassUAC.ps1" "*\\\\Invoke\\-Tater.ps1" "*\\\\Invoke\\-WScriptBypassUAC.ps1" "*\\\\PowerUp.ps1" "*\\\\PowerView.ps1" "*\\\\Get\\-RickAstley.ps1" "*\\\\Find\\-Fruit.ps1" "*\\\\HTTP\\-Login.ps1" "*\\\\Find\\-TrustedDocuments.ps1" "*\\\\Invoke\\-Paranoia.ps1" "*\\\\Invoke\\-WinEnum.ps1" "*\\\\Invoke\\-ARPScan.ps1" "*\\\\Invoke\\-PortScan.ps1" "*\\\\Invoke\\-ReverseDNSLookup.ps1" "*\\\\Invoke\\-SMBScanner.ps1" "*\\\\Invoke\\-Mimikittenz.ps1"))
(EventID:"11" AND TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 *\\\\Invoke\\-WmiCommand.ps1 *\\\\Get\\-GPPPassword.ps1 *\\\\Get\\-Keystrokes.ps1 *\\\\Get\\-VaultCredential.ps1 *\\\\Invoke\\-CredentialInjection.ps1 *\\\\Invoke\\-Mimikatz.ps1 *\\\\Invoke\\-NinjaCopy.ps1 *\\\\Invoke\\-TokenManipulation.ps1 *\\\\Out\\-Minidump.ps1 *\\\\VolumeShadowCopyTools.ps1 *\\\\Invoke\\-ReflectivePEInjection.ps1 *\\\\Get\\-TimedScreenshot.ps1 *\\\\Invoke\\-UserHunter.ps1 *\\\\Find\\-GPOLocation.ps1 *\\\\Invoke\\-ACLScanner.ps1 *\\\\Invoke\\-DowngradeAccount.ps1 *\\\\Get\\-ServiceUnquoted.ps1 *\\\\Get\\-ServiceFilePermission.ps1 *\\\\Get\\-ServicePermission.ps1 *\\\\Invoke\\-ServiceAbuse.ps1 *\\\\Install\\-ServiceBinary.ps1 *\\\\Get\\-RegAutoLogon.ps1 *\\\\Get\\-VulnAutoRun.ps1 *\\\\Get\\-VulnSchTask.ps1 *\\\\Get\\-UnattendedInstallFile.ps1 *\\\\Get\\-WebConfig.ps1 *\\\\Get\\-ApplicationHost.ps1 *\\\\Get\\-RegAlwaysInstallElevated.ps1 *\\\\Get\\-Unconstrained.ps1 *\\\\Add\\-RegBackdoor.ps1 *\\\\Add\\-ScrnSaveBackdoor.ps1 *\\\\Gupt\\-Backdoor.ps1 *\\\\Invoke\\-ADSBackdoor.ps1 *\\\\Enabled\\-DuplicateToken.ps1 *\\\\Invoke\\-PsUaCme.ps1 *\\\\Remove\\-Update.ps1 *\\\\Check\\-VM.ps1 *\\\\Get\\-LSASecret.ps1 *\\\\Get\\-PassHashes.ps1 *\\\\Show\\-TargetScreen.ps1 *\\\\Port\\-Scan.ps1 *\\\\Invoke\\-PoshRatHttp.ps1 *\\\\Invoke\\-PowerShellTCP.ps1 *\\\\Invoke\\-PowerShellWMI.ps1 *\\\\Add\\-Exfiltration.ps1 *\\\\Add\\-Persistence.ps1 *\\\\Do\\-Exfiltration.ps1 *\\\\Start\\-CaptureServer.ps1 *\\\\Invoke\\-ShellCode.ps1 *\\\\Get\\-ChromeDump.ps1 *\\\\Get\\-ClipboardContents.ps1 *\\\\Get\\-FoxDump.ps1 *\\\\Get\\-IndexedItem.ps1 *\\\\Get\\-Screenshot.ps1 *\\\\Invoke\\-Inveigh.ps1 *\\\\Invoke\\-NetRipper.ps1 *\\\\Invoke\\-EgressCheck.ps1 *\\\\Invoke\\-PostExfil.ps1 *\\\\Invoke\\-PSInject.ps1 *\\\\Invoke\\-RunAs.ps1 *\\\\MailRaider.ps1 *\\\\New\\-HoneyHash.ps1 *\\\\Set\\-MacAttribute.ps1 *\\\\Invoke\\-DCSync.ps1 *\\\\Invoke\\-PowerDump.ps1 *\\\\Exploit\\-Jboss.ps1 *\\\\Invoke\\-ThunderStruck.ps1 *\\\\Invoke\\-VoiceTroll.ps1 *\\\\Set\\-Wallpaper.ps1 *\\\\Invoke\\-InveighRelay.ps1 *\\\\Invoke\\-PsExec.ps1 *\\\\Invoke\\-SSHCommand.ps1 *\\\\Get\\-SecurityPackages.ps1 *\\\\Install\\-SSP.ps1 *\\\\Invoke\\-BackdoorLNK.ps1 *\\\\PowerBreach.ps1 *\\\\Get\\-SiteListPassword.ps1 *\\\\Get\\-System.ps1 *\\\\Invoke\\-BypassUAC.ps1 *\\\\Invoke\\-Tater.ps1 *\\\\Invoke\\-WScriptBypassUAC.ps1 *\\\\PowerUp.ps1 *\\\\PowerView.ps1 *\\\\Get\\-RickAstley.ps1 *\\\\Find\\-Fruit.ps1 *\\\\HTTP\\-Login.ps1 *\\\\Find\\-TrustedDocuments.ps1 *\\\\Invoke\\-Paranoia.ps1 *\\\\Invoke\\-WinEnum.ps1 *\\\\Invoke\\-ARPScan.ps1 *\\\\Invoke\\-PortScan.ps1 *\\\\Invoke\\-ReverseDNSLookup.ps1 *\\\\Invoke\\-SMBScanner.ps1 *\\\\Invoke\\-Mimikittenz.ps1))
```
@ -173,7 +174,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="11" TargetFilename IN ["*\\\\Invoke-DllInjection.ps1", "*\\\\Invoke-WmiCommand.ps1", "*\\\\Get-GPPPassword.ps1", "*\\\\Get-Keystrokes.ps1", "*\\\\Get-VaultCredential.ps1", "*\\\\Invoke-CredentialInjection.ps1", "*\\\\Invoke-Mimikatz.ps1", "*\\\\Invoke-NinjaCopy.ps1", "*\\\\Invoke-TokenManipulation.ps1", "*\\\\Out-Minidump.ps1", "*\\\\VolumeShadowCopyTools.ps1", "*\\\\Invoke-ReflectivePEInjection.ps1", "*\\\\Get-TimedScreenshot.ps1", "*\\\\Invoke-UserHunter.ps1", "*\\\\Find-GPOLocation.ps1", "*\\\\Invoke-ACLScanner.ps1", "*\\\\Invoke-DowngradeAccount.ps1", "*\\\\Get-ServiceUnquoted.ps1", "*\\\\Get-ServiceFilePermission.ps1", "*\\\\Get-ServicePermission.ps1", "*\\\\Invoke-ServiceAbuse.ps1", "*\\\\Install-ServiceBinary.ps1", "*\\\\Get-RegAutoLogon.ps1", "*\\\\Get-VulnAutoRun.ps1", "*\\\\Get-VulnSchTask.ps1", "*\\\\Get-UnattendedInstallFile.ps1", "*\\\\Get-WebConfig.ps1", "*\\\\Get-ApplicationHost.ps1", "*\\\\Get-RegAlwaysInstallElevated.ps1", "*\\\\Get-Unconstrained.ps1", "*\\\\Add-RegBackdoor.ps1", "*\\\\Add-ScrnSaveBackdoor.ps1", "*\\\\Gupt-Backdoor.ps1", "*\\\\Invoke-ADSBackdoor.ps1", "*\\\\Enabled-DuplicateToken.ps1", "*\\\\Invoke-PsUaCme.ps1", "*\\\\Remove-Update.ps1", "*\\\\Check-VM.ps1", "*\\\\Get-LSASecret.ps1", "*\\\\Get-PassHashes.ps1", "*\\\\Show-TargetScreen.ps1", "*\\\\Port-Scan.ps1", "*\\\\Invoke-PoshRatHttp.ps1", "*\\\\Invoke-PowerShellTCP.ps1", "*\\\\Invoke-PowerShellWMI.ps1", "*\\\\Add-Exfiltration.ps1", "*\\\\Add-Persistence.ps1", "*\\\\Do-Exfiltration.ps1", "*\\\\Start-CaptureServer.ps1", "*\\\\Invoke-ShellCode.ps1", "*\\\\Get-ChromeDump.ps1", "*\\\\Get-ClipboardContents.ps1", "*\\\\Get-FoxDump.ps1", "*\\\\Get-IndexedItem.ps1", "*\\\\Get-Screenshot.ps1", "*\\\\Invoke-Inveigh.ps1", "*\\\\Invoke-NetRipper.ps1", "*\\\\Invoke-EgressCheck.ps1", "*\\\\Invoke-PostExfil.ps1", "*\\\\Invoke-PSInject.ps1", "*\\\\Invoke-RunAs.ps1", "*\\\\MailRaider.ps1", "*\\\\New-HoneyHash.ps1", "*\\\\Set-MacAttribute.ps1", "*\\\\Invoke-DCSync.ps1", "*\\\\Invoke-PowerDump.ps1", "*\\\\Exploit-Jboss.ps1", "*\\\\Invoke-ThunderStruck.ps1", "*\\\\Invoke-VoiceTroll.ps1", "*\\\\Set-Wallpaper.ps1", "*\\\\Invoke-InveighRelay.ps1", "*\\\\Invoke-PsExec.ps1", "*\\\\Invoke-SSHCommand.ps1", "*\\\\Get-SecurityPackages.ps1", "*\\\\Install-SSP.ps1", "*\\\\Invoke-BackdoorLNK.ps1", "*\\\\PowerBreach.ps1", "*\\\\Get-SiteListPassword.ps1", "*\\\\Get-System.ps1", "*\\\\Invoke-BypassUAC.ps1", "*\\\\Invoke-Tater.ps1", "*\\\\Invoke-WScriptBypassUAC.ps1", "*\\\\PowerUp.ps1", "*\\\\PowerView.ps1", "*\\\\Get-RickAstley.ps1", "*\\\\Find-Fruit.ps1", "*\\\\HTTP-Login.ps1", "*\\\\Find-TrustedDocuments.ps1", "*\\\\Invoke-Paranoia.ps1", "*\\\\Invoke-WinEnum.ps1", "*\\\\Invoke-ARPScan.ps1", "*\\\\Invoke-PortScan.ps1", "*\\\\Invoke-ReverseDNSLookup.ps1", "*\\\\Invoke-SMBScanner.ps1", "*\\\\Invoke-Mimikittenz.ps1"])
(event_id="11" TargetFilename IN ["*\\\\Invoke-DllInjection.ps1", "*\\\\Invoke-WmiCommand.ps1", "*\\\\Get-GPPPassword.ps1", "*\\\\Get-Keystrokes.ps1", "*\\\\Get-VaultCredential.ps1", "*\\\\Invoke-CredentialInjection.ps1", "*\\\\Invoke-Mimikatz.ps1", "*\\\\Invoke-NinjaCopy.ps1", "*\\\\Invoke-TokenManipulation.ps1", "*\\\\Out-Minidump.ps1", "*\\\\VolumeShadowCopyTools.ps1", "*\\\\Invoke-ReflectivePEInjection.ps1", "*\\\\Get-TimedScreenshot.ps1", "*\\\\Invoke-UserHunter.ps1", "*\\\\Find-GPOLocation.ps1", "*\\\\Invoke-ACLScanner.ps1", "*\\\\Invoke-DowngradeAccount.ps1", "*\\\\Get-ServiceUnquoted.ps1", "*\\\\Get-ServiceFilePermission.ps1", "*\\\\Get-ServicePermission.ps1", "*\\\\Invoke-ServiceAbuse.ps1", "*\\\\Install-ServiceBinary.ps1", "*\\\\Get-RegAutoLogon.ps1", "*\\\\Get-VulnAutoRun.ps1", "*\\\\Get-VulnSchTask.ps1", "*\\\\Get-UnattendedInstallFile.ps1", "*\\\\Get-WebConfig.ps1", "*\\\\Get-ApplicationHost.ps1", "*\\\\Get-RegAlwaysInstallElevated.ps1", "*\\\\Get-Unconstrained.ps1", "*\\\\Add-RegBackdoor.ps1", "*\\\\Add-ScrnSaveBackdoor.ps1", "*\\\\Gupt-Backdoor.ps1", "*\\\\Invoke-ADSBackdoor.ps1", "*\\\\Enabled-DuplicateToken.ps1", "*\\\\Invoke-PsUaCme.ps1", "*\\\\Remove-Update.ps1", "*\\\\Check-VM.ps1", "*\\\\Get-LSASecret.ps1", "*\\\\Get-PassHashes.ps1", "*\\\\Show-TargetScreen.ps1", "*\\\\Port-Scan.ps1", "*\\\\Invoke-PoshRatHttp.ps1", "*\\\\Invoke-PowerShellTCP.ps1", "*\\\\Invoke-PowerShellWMI.ps1", "*\\\\Add-Exfiltration.ps1", "*\\\\Add-Persistence.ps1", "*\\\\Do-Exfiltration.ps1", "*\\\\Start-CaptureServer.ps1", "*\\\\Invoke-ShellCode.ps1", "*\\\\Get-ChromeDump.ps1", "*\\\\Get-ClipboardContents.ps1", "*\\\\Get-FoxDump.ps1", "*\\\\Get-IndexedItem.ps1", "*\\\\Get-Screenshot.ps1", "*\\\\Invoke-Inveigh.ps1", "*\\\\Invoke-NetRipper.ps1", "*\\\\Invoke-EgressCheck.ps1", "*\\\\Invoke-PostExfil.ps1", "*\\\\Invoke-PSInject.ps1", "*\\\\Invoke-RunAs.ps1", "*\\\\MailRaider.ps1", "*\\\\New-HoneyHash.ps1", "*\\\\Set-MacAttribute.ps1", "*\\\\Invoke-DCSync.ps1", "*\\\\Invoke-PowerDump.ps1", "*\\\\Exploit-Jboss.ps1", "*\\\\Invoke-ThunderStruck.ps1", "*\\\\Invoke-VoiceTroll.ps1", "*\\\\Set-Wallpaper.ps1", "*\\\\Invoke-InveighRelay.ps1", "*\\\\Invoke-PsExec.ps1", "*\\\\Invoke-SSHCommand.ps1", "*\\\\Get-SecurityPackages.ps1", "*\\\\Install-SSP.ps1", "*\\\\Invoke-BackdoorLNK.ps1", "*\\\\PowerBreach.ps1", "*\\\\Get-SiteListPassword.ps1", "*\\\\Get-System.ps1", "*\\\\Invoke-BypassUAC.ps1", "*\\\\Invoke-Tater.ps1", "*\\\\Invoke-WScriptBypassUAC.ps1", "*\\\\PowerUp.ps1", "*\\\\PowerView.ps1", "*\\\\Get-RickAstley.ps1", "*\\\\Find-Fruit.ps1", "*\\\\HTTP-Login.ps1", "*\\\\Find-TrustedDocuments.ps1", "*\\\\Invoke-Paranoia.ps1", "*\\\\Invoke-WinEnum.ps1", "*\\\\Invoke-ARPScan.ps1", "*\\\\Invoke-PortScan.ps1", "*\\\\Invoke-ReverseDNSLookup.ps1", "*\\\\Invoke-SMBScanner.ps1", "*\\\\Invoke-Mimikittenz.ps1"])
```

17
Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md
View File

@ -19,8 +19,10 @@
```
title: PowerShell Network Connections
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: experimental
description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g.
extend filters with company's ip range')
author: Florian Roth
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
@ -34,6 +36,7 @@ detection:
selection:
EventID: 3
Image: '*\powershell.exe'
Initiated: 'true'
filter:
DestinationIp:
- '10.*'
@ -71,42 +74,42 @@ level: low
### es-qs
```
((EventID:"3" AND Image.keyword:*\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT\\ AUTHORITY\\\\SYSTEM")))
((EventID:"3" AND Image.keyword:*\\\\powershell.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT\\ AUTHORITY\\\\SYSTEM")))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Network-Connections <<EOF\n{\n "metadata": {\n "title": "PowerShell Network Connections",\n "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Network Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Network-Connections <<EOF\n{\n "metadata": {\n "title": "PowerShell Network Connections",\n "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Network Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND Image:"*\\\\powershell.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.0.0.1") AND DestinationIsIpv6:"false" AND User:"NT AUTHORITY\\\\SYSTEM"))
((EventID:"3" AND Image.keyword:*\\\\powershell.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT AUTHORITY\\\\SYSTEM")))
```
### splunk
```
((EventID="3" Image="*\\\\powershell.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.0.0.1") DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
((EventID="3" Image="*\\\\powershell.exe" Initiated="true") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.0.0.1") DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
```
### logpoint
```
((EventID="3" Image="*\\\\powershell.exe") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.0.0.1"] DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
((event_id="3" Image="*\\\\powershell.exe" Initiated="true") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.0.0.1"] DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\powershell\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\.0\\.0\\.1))(?=.*false)(?=.*NT AUTHORITY\\SYSTEM)))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\powershell\\.exe)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\.0\\.0\\.1))(?=.*false)(?=.*NT AUTHORITY\\SYSTEM)))))'
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md
View File

@ -19,6 +19,7 @@
```
title: QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: experimental
description: Detects a dump file written by QuarksPwDump password dumper
references:
@ -65,7 +66,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"11" AND TargetFilename:"*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*")
(EventID:"11" AND TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)
```
@ -79,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
(event_id="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
```

17
Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/SBousseaden/status/1096148422984384514](https://twitter.com/SBousseaden/status/1096148422984384514)</li></ul> |
| Author | Samir Bousseaden |
| Other Tags | <ul><li>car.2013-07-002</li><li>car.2013-07-002</li></ul> |
| Other Tags | <ul><li>car.2013-07-002</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: RDP over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
@ -37,6 +38,7 @@ detection:
selection:
EventID: 3
Image: '*\svchost.exe'
Initiated: 'true'
SourcePort: 3389
DestinationIp:
- '127.*'
@ -45,6 +47,7 @@ detection:
falsepositives:
- unknown
level: high
```
@ -54,42 +57,42 @@ level: high
### es-qs
```
(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND SourcePort:"3389" AND DestinationIp.keyword:(127.* OR \\:\\:1))
(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND Initiated:"true" AND SourcePort:"3389" AND DestinationIp.keyword:(127.* OR \\:\\:1))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-over-Reverse-SSH-Tunnel <<EOF\n{\n "metadata": {\n "title": "RDP over Reverse SSH Tunnel",\n "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389",\n "tags": [\n "attack.defense_evasion",\n "attack.command_and_control",\n "attack.t1076",\n "car.2013-07-002"\n ],\n "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-over-Reverse-SSH-Tunnel <<EOF\n{\n "metadata": {\n "title": "RDP over Reverse SSH Tunnel",\n "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389",\n "tags": [\n "attack.defense_evasion",\n "attack.command_and_control",\n "attack.t1076",\n "car.2013-07-002"\n ],\n "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND Initiated:\\"true\\" AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND Initiated:\\"true\\" AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND Image:"*\\\\svchost.exe" AND SourcePort:"3389" AND DestinationIp:("127.*" "\\:\\:1"))
(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND Initiated:"true" AND SourcePort:"3389" AND DestinationIp.keyword:(127.* \\:\\:1))
```
### splunk
```
(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" (DestinationIp="127.*" OR DestinationIp="::1"))
(EventID="3" Image="*\\\\svchost.exe" Initiated="true" SourcePort="3389" (DestinationIp="127.*" OR DestinationIp="::1"))
```
### logpoint
```
(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" DestinationIp IN ["127.*", "::1"])
(event_id="3" Image="*\\\\svchost.exe" Initiated="true" SourcePort="3389" DestinationIp IN ["127.*", "::1"])
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*.*\\svchost\\.exe)(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))'
grep -P '^(?:.*(?=.*3)(?=.*.*\\svchost\\.exe)(?=.*true)(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))'
```

13
Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md
View File

@ -19,18 +19,19 @@
```
title: RDP Sensitive Settings Changed
id: 171b67e1-74b4-460e-8d55-b331f3e32d67
description: Detects changes to RDP terminal service sensitive settings
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
date: 2019/04/03
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
product: windows
service: sysmon
detection:
selection_reg:
EventID: 13
TargetObject:
EventID: 13
TargetObject:
- '*\services\TermService\Parameters\ServiceDll*'
- '*\Control\Terminal Server\fSingleSessionPerUser*'
- '*\Control\Terminal Server\fDenyTSConnections*'
@ -64,7 +65,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*" "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*" "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"))
(EventID:"13" AND TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* *\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser* *\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*))
```
@ -78,7 +79,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*", "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*", "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"])
(event_id="13" TargetObject IN ["*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*", "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*", "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"])
```

95
Atomic_Threat_Coverage/Detection_Rules/sysmon_registry_persistence_key_linking.md Normal file
View File

@ -0,0 +1,95 @@
| Title | Windows Registry Persistence - COM key linking |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects COM object hijacking via TreatAs subkey |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1122: Component Object Model Hijacking](https://attack.mitre.org/techniques/T1122)</li></ul> |
| Data Needed | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1122: Component Object Model Hijacking](../Triggers/T1122.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Maybe some system utilities in rare cases use linking keys for backward compability</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)</li></ul> |
| Author | Kutepov Anton, oscd.community |
## Detection Rules
### Sigma rule
```
title: Windows Registry Persistence - COM key linking
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: experimental
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019/10/23
modified: 2019/11/07
tags:
- attack.persistence
- attack.t1122
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 12
TargetObject|startswith: 'HKU\'
TargetObject|contains: '_Classes\CLSID\'
TargetObject|endswith: '\TreatAs'
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compability
level: medium
```
### es-qs
```
(EventID:"12" AND TargetObject:"HKU\\*" AND TargetObject.keyword:*_Classes\\\\CLSID\\* AND TargetObject.keyword:*\\\\TreatAs)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-Registry-Persistence---COM-key-linking <<EOF\n{\n "metadata": {\n "title": "Windows Registry Persistence - COM key linking",\n "description": "Detects COM object hijacking via TreatAs subkey",\n "tags": [\n "attack.persistence",\n "attack.t1122"\n ],\n "query": "(EventID:\\"12\\" AND TargetObject:\\"HKU\\\\*\\" AND TargetObject.keyword:*_Classes\\\\\\\\CLSID\\\\* AND TargetObject.keyword:*\\\\\\\\TreatAs)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"12\\" AND TargetObject:\\"HKU\\\\*\\" AND TargetObject.keyword:*_Classes\\\\\\\\CLSID\\\\* AND TargetObject.keyword:*\\\\\\\\TreatAs)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Windows Registry Persistence - COM key linking\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"12" AND TargetObject:"HKU\\*" AND TargetObject.keyword:*_Classes\\\\CLSID\\* AND TargetObject.keyword:*\\\\TreatAs)
```
### splunk
```
(EventID="12" TargetObject="HKU\\*" TargetObject="*_Classes\\\\CLSID\\*" TargetObject="*\\\\TreatAs")
```
### logpoint
```
(event_id="12" TargetObject="HKU\\*" TargetObject="*_Classes\\\\CLSID\\*" TargetObject="*\\\\TreatAs")
```
### grep
```
grep -P '^(?:.*(?=.*12)(?=.*HKU\\.*)(?=.*.*_Classes\\CLSID\\.*)(?=.*.*\\TreatAs))'
```

9
Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md
View File

@ -3,7 +3,7 @@
| Description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | critical |
@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/christophetd/status/1164506034720952320](https://twitter.com/christophetd/status/1164506034720952320)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2013-05-009</li><li>car.2013-05-009</li></ul> |
| Other Tags | <ul><li>car.2013-05-009</li></ul> |
## Detection Rules
@ -19,8 +19,9 @@
```
title: Renamed PowerShell
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
status: experimental
description: Detects the execution of a renamed PowerShell often used by attackers or malware
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
- https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth
@ -66,7 +67,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
((Description:"Windows PowerShell" AND Company:"Microsoft Corporation") AND NOT (Image:("*\\\\powershell.exe" "*\\\\powershell_ise.exe")))
((Description:"Windows PowerShell" AND Company:"Microsoft Corporation") AND (NOT (Image.keyword:(*\\\\powershell.exe *\\\\powershell_ise.exe))))
```

96
Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md Normal file
View File

@ -0,0 +1,96 @@
| Title | Renamed ProcDump |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Procdump illegaly bundled with legitimate software</li><li>Weird admins who renamed binaries</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Renamed ProcDump
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
status: experimental
description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth
date: 2019/11/18
tags:
- attack.defense_evasion
- attack.t1036
logsource:
product: windows
service: sysmon
detection:
selection:
OriginalFileName: 'procdump'
filter:
Image:
- '*\procdump.exe'
- '*\procdump64.exe'
condition: selection and not filter
falsepositives:
- Procdump illegaly bundled with legitimate software
- Weird admins who renamed binaries
level: critical
```
### es-qs
```
(OriginalFileName:"procdump" AND (NOT (Image.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-ProcDump <<EOF\n{\n "metadata": {\n "title": "Renamed ProcDump",\n "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware",\n "tags": [\n "attack.defense_evasion",\n "attack.t1036"\n ],\n "query": "(OriginalFileName:\\"procdump\\" AND (NOT (Image.keyword:(*\\\\\\\\procdump.exe OR *\\\\\\\\procdump64.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(OriginalFileName:\\"procdump\\" AND (NOT (Image.keyword:(*\\\\\\\\procdump.exe OR *\\\\\\\\procdump64.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Renamed ProcDump\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(OriginalFileName:"procdump" AND (NOT (Image.keyword:(*\\\\procdump.exe *\\\\procdump64.exe))))
```
### splunk
```
(OriginalFileName="procdump" NOT ((Image="*\\\\procdump.exe" OR Image="*\\\\procdump64.exe")))
```
### logpoint
```
(OriginalFileName="procdump" -(Image IN ["*\\\\procdump.exe", "*\\\\procdump64.exe"]))
```
### grep
```
grep -P '^(?:.*(?=.*procdump)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\procdump\\.exe|.*.*\\procdump64\\.exe))))))'
```

23
Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md
View File

@ -3,7 +3,7 @@
| Description | Detects the execution of a renamed PsExec often used by attackers or malware |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks](https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2013-05-009</li><li>car.2013-05-009</li></ul> |
| Other Tags | <ul><li>car.2013-05-009</li></ul> |
## Detection Rules
@ -19,8 +19,9 @@
```
title: Renamed PsExec
id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
status: experimental
description: Detects the execution of a renamed PsExec often used by attackers or malware
description: Detects the execution of a renamed PsExec often used by attackers or malware
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
author: Florian Roth
@ -35,7 +36,9 @@ detection:
Description: 'Execute processes remotely'
Product: 'Sysinternals PsExec'
filter:
Image: '*\PsExec.exe'
Image:
- '*\PsExec.exe'
- '*\PsExec64.exe'
condition: selection and not filter
falsepositives:
- Software that illegaly integrates PsExec in a renamed form
@ -51,42 +54,42 @@ level: high
### es-qs
```
((Description:"Execute\\ processes\\ remotely" AND Product:"Sysinternals\\ PsExec") AND (NOT (Image.keyword:*\\\\PsExec.exe)))
((Description:"Execute\\ processes\\ remotely" AND Product:"Sysinternals\\ PsExec") AND (NOT (Image.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-PsExec <<EOF\n{\n "metadata": {\n "title": "Renamed PsExec",\n "description": "Detects the execution of a renamed PsExec often used by attackers or malware",\n "tags": [\n "car.2013-05-009"\n ],\n "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:*\\\\\\\\PsExec.exe)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:*\\\\\\\\PsExec.exe)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Renamed PsExec\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-PsExec <<EOF\n{\n "metadata": {\n "title": "Renamed PsExec",\n "description": "Detects the execution of a renamed PsExec often used by attackers or malware",\n "tags": [\n "car.2013-05-009"\n ],\n "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:(*\\\\\\\\PsExec.exe OR *\\\\\\\\PsExec64.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:(*\\\\\\\\PsExec.exe OR *\\\\\\\\PsExec64.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Renamed PsExec\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((Description:"Execute processes remotely" AND Product:"Sysinternals PsExec") AND NOT (Image:"*\\\\PsExec.exe"))
((Description:"Execute processes remotely" AND Product:"Sysinternals PsExec") AND (NOT (Image.keyword:(*\\\\PsExec.exe *\\\\PsExec64.exe))))
```
### splunk
```
((Description="Execute processes remotely" Product="Sysinternals PsExec") NOT (Image="*\\\\PsExec.exe"))
((Description="Execute processes remotely" Product="Sysinternals PsExec") NOT ((Image="*\\\\PsExec.exe" OR Image="*\\\\PsExec64.exe")))
```
### logpoint
```
((Description="Execute processes remotely" Product="Sysinternals PsExec") -(Image="*\\\\PsExec.exe"))
((Description="Execute processes remotely" Product="Sysinternals PsExec") -(Image IN ["*\\\\PsExec.exe", "*\\\\PsExec64.exe"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*Execute processes remotely)(?=.*Sysinternals PsExec)))(?=.*(?!.*(?:.*(?=.*.*\\PsExec\\.exe)))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*Execute processes remotely)(?=.*Sysinternals PsExec)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\PsExec\\.exe|.*.*\\PsExec64\\.exe))))))'
```

14
Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md
View File

@ -19,6 +19,7 @@
```
title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: experimental
description: Detects a rundll32 that communicates with public IP addresses
references:
@ -36,6 +37,7 @@ detection:
selection:
EventID: 3
Image: '*\rundll32.exe'
Initiated: 'true'
filter:
DestinationIp:
- '10.*'
@ -71,42 +73,42 @@ level: medium
### es-qs
```
((EventID:"3" AND Image.keyword:*\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
((EventID:"3" AND Image.keyword:*\\\\rundll32.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rundll32-Internet-Connection <<EOF\n{\n "metadata": {\n "title": "Rundll32 Internet Connection",\n "description": "Detects a rundll32 that communicates with public IP addresses",\n "tags": [\n "attack.t1085",\n "attack.defense_evasion",\n "attack.execution"\n ],\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rundll32 Internet Connection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rundll32-Internet-Connection <<EOF\n{\n "metadata": {\n "title": "Rundll32 Internet Connection",\n "description": "Detects a rundll32 that communicates with public IP addresses",\n "tags": [\n "attack.t1085",\n "attack.defense_evasion",\n "attack.execution"\n ],\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rundll32 Internet Connection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND Image:"*\\\\rundll32.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*")))
((EventID:"3" AND Image.keyword:*\\\\rundll32.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*))))
```
### splunk
```
((EventID="3" Image="*\\\\rundll32.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*")))
((EventID="3" Image="*\\\\rundll32.exe" Initiated="true") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*")))
```
### logpoint
```
((EventID="3" Image="*\\\\rundll32.exe") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"]))
((event_id="3" Image="*\\\\rundll32.exe" Initiated="true") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\rundll32\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\rundll32\\.exe)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))))))'
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md
View File

@ -19,8 +19,9 @@
```
title: Security Support Provider (SSP) added to LSA configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: experimental
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://attack.mitre.org/techniques/T1101/
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
@ -70,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) AND NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) AND (NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe")))
```
@ -84,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
((EventID="13" TargetObject IN ["HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages", "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages"]) -(Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
((event_id="13" TargetObject IN ["HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages", "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages"]) -(Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
```

11
Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
View File

@ -11,17 +11,18 @@
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/](https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)</li></ul> |
| Author | Florian Roth, @twjackomo |
| Other Tags | <ul><li>car.2014-11-003</li><li>car.2014-11-003</li><li>car.2014-11-008</li><li>car.2014-11-008</li></ul> |
| Other Tags | <ul><li>car.2014-11-003</li><li>car.2014-11-008</li></ul> |
## Detection Rules
### Sigma rule
```
---
action: global
title: Sticky Key Like Backdoor Usage
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
id: baca5663-583c-45f9-b5dc-ea96a22ce542
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
tags:
@ -91,7 +92,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger") AND EventType:"SetValue")\n(ParentImage:("*\\\\winlogon.exe") AND CommandLine:("*cmd.exe sethc.exe *" "*cmd.exe utilman.exe *" "*cmd.exe osk.exe *" "*cmd.exe Magnify.exe *" "*cmd.exe Narrator.exe *" "*cmd.exe DisplaySwitch.exe *"))
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger) AND EventType:"SetValue")\n(ParentImage.keyword:(*\\\\winlogon.exe) AND CommandLine.keyword:(*cmd.exe sethc.exe * *cmd.exe utilman.exe * *cmd.exe osk.exe * *cmd.exe Magnify.exe * *cmd.exe Narrator.exe * *cmd.exe DisplaySwitch.exe *))
```
@ -105,7 +106,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger"] EventType="SetValue")\n(ParentImage IN ["*\\\\winlogon.exe"] CommandLine IN ["*cmd.exe sethc.exe *", "*cmd.exe utilman.exe *", "*cmd.exe osk.exe *", "*cmd.exe Magnify.exe *", "*cmd.exe Narrator.exe *", "*cmd.exe DisplaySwitch.exe *"])
(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger"] EventType="SetValue")\n(event_id="1" ParentImage IN ["*\\\\winlogon.exe"] CommandLine IN ["*cmd.exe sethc.exe *", "*cmd.exe utilman.exe *", "*cmd.exe osk.exe *", "*cmd.exe Magnify.exe *", "*cmd.exe Narrator.exe *", "*cmd.exe DisplaySwitch.exe *"])
```

95
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md Normal file
View File

@ -0,0 +1,95 @@
| Title | Suspicious RUN Key from Download |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1060: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1060)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1060: Registry Run Keys / Startup Folder](../Triggers/T1060.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Software installers downloaded and used by users</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/](https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious RUN Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: experimental
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
author: Florian Roth
date: 2019/10/01
tags:
- attack.persistence
- attack.t1060
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
Image:
- '*\Downloads\\*'
- '*\Temporary Internet Files\Content.Outlook\\*'
- '*\Local Settings\Temporary Internet Files\\*'
TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
condition: selection
falsepositives:
- Software installers downloaded and used by users
level: high
```
### es-qs
```
(EventID:"13" AND Image.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-RUN-Key-from-Download <<EOF\n{\n "metadata": {\n "title": "Suspicious RUN Key from Download",\n "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories",\n "tags": [\n "attack.persistence",\n "attack.t1060"\n ],\n "query": "(EventID:\\"13\\" AND Image.keyword:(*\\\\\\\\Downloads\\\\\\\\* OR *\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\* OR *\\\\\\\\Local\\\\ Settings\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\*) AND TargetObject.keyword:*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"13\\" AND Image.keyword:(*\\\\\\\\Downloads\\\\\\\\* OR *\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\* OR *\\\\\\\\Local\\\\ Settings\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\*) AND TargetObject.keyword:*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious RUN Key from Download\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND Image.keyword:(*\\\\Downloads\\\\* *\\\\Temporary Internet Files\\\\Content.Outlook\\\\* *\\\\Local Settings\\\\Temporary Internet Files\\\\*) AND TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)
```
### splunk
```
(EventID="13" (Image="*\\\\Downloads\\\\*" OR Image="*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*" OR Image="*\\\\Local Settings\\\\Temporary Internet Files\\\\*") TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*")
```
### logpoint
```
(event_id="13" Image IN ["*\\\\Downloads\\\\*", "*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*", "*\\\\Local Settings\\\\Temporary Internet Files\\\\*"] TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\Downloads\\\\.*|.*.*\\Temporary Internet Files\\Content\\.Outlook\\\\.*|.*.*\\Local Settings\\Temporary Internet Files\\\\.*))(?=.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*))'
```

11
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md
View File

@ -19,11 +19,12 @@
```
title: Suspicious Driver Load from Temp
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
description: Detects a driver load from a temporary directory
author: Florian Roth
tags:
- attack.persistence
- attack.t1050
tags:
- attack.persistence
- attack.t1050
logsource:
product: windows
service: sysmon
@ -59,7 +60,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"6" AND ImageLoaded:"*\\\\Temp\\\\*")
(EventID:"6" AND ImageLoaded.keyword:*\\\\Temp\\\\*)
```
@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="6" ImageLoaded="*\\\\Temp\\\\*")
(event_id="6" ImageLoaded="*\\\\Temp\\\\*")
```

8
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md
View File

@ -3,10 +3,10 @@
| Description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| Severity Level | medium |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://securelist.com/muddywater/88059/](https://securelist.com/muddywater/88059/)</li><li>[https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection](https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection)</li></ul> |
@ -19,6 +19,7 @@
```
title: Suspicious File Characteristics due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
status: experimental
references:
@ -26,6 +27,7 @@ references:
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis
date: 2018/11/22
modified: 2019/11/09
tags:
- attack.defense_evasion
- attack.execution
@ -49,7 +51,7 @@ fields:
- ParentCommandLine
falsepositives:
- Unknown
level: high
level: medium
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md
View File

@ -18,7 +18,8 @@
### Sigma rule
```
title: Possible Process Hollowing Image Loading
title: Possible Process Hollowing Image Loading
id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
status: experimental
description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
references:
@ -67,7 +68,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"7" AND Image:("*\\\\notepad.exe") AND ImageLoaded:("*\\\\samlib.dll" "*\\\\WinSCard.dll"))
(EventID:"7" AND Image.keyword:(*\\\\notepad.exe) AND ImageLoaded.keyword:(*\\\\samlib.dll *\\\\WinSCard.dll))
```
@ -81,7 +82,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="7" Image IN ["*\\\\notepad.exe"] ImageLoaded IN ["*\\\\samlib.dll", "*\\\\WinSCard.dll"])
(event_id="7" Image IN ["*\\\\notepad.exe"] ImageLoaded IN ["*\\\\samlib.dll", "*\\\\WinSCard.dll"])
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md Normal file
View File

@ -0,0 +1,98 @@
| Title | DLL Load via LSASS |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1177: LSASS Driver](https://attack.mitre.org/techniques/T1177)</li></ul> |
| Data Needed | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1177: LSASS Driver](../Triggers/T1177.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://blog.xpnsec.com/exploring-mimikatz-part-1/](https://blog.xpnsec.com/exploring-mimikatz-part-1/)</li><li>[https://twitter.com/SBousseaden/status/1183745981189427200](https://twitter.com/SBousseaden/status/1183745981189427200)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: experimental
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
author: Florian Roth
date: 2019/10/16
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12
- 13
TargetObject:
- '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
condition: selection
tags:
- attack.execution
- attack.t1177
falsepositives:
- Unknown
level: high
```
### es-qs
```
(EventID:("12" OR "13") AND TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DLL-Load-via-LSASS <<EOF\n{\n "metadata": {\n "title": "DLL Load via LSASS",\n "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key",\n "tags": [\n "attack.execution",\n "attack.t1177"\n ],\n "query": "(EventID:(\\"12\\" OR \\"13\\") AND TargetObject.keyword:(*\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\DirectoryServiceExtPt* OR *\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\LsaDbExtPt*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:(\\"12\\" OR \\"13\\") AND TargetObject.keyword:(*\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\DirectoryServiceExtPt* OR *\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\LsaDbExtPt*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DLL Load via LSASS\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:("12" "13") AND TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))
```
### splunk
```
((EventID="12" OR EventID="13") (TargetObject="*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt*" OR TargetObject="*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*"))
```
### logpoint
```
(event_id IN ["12", "13"] TargetObject IN ["*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt*", "*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*"])
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*12|.*13))(?=.*(?:.*.*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt.*|.*.*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt.*)))'
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
View File

@ -19,8 +19,9 @@
```
title: PowerShell Rundll32 Remote Thread Creation
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
status: experimental
description: Detects PowerShell remote thread creation in Rundll32.exe
description: Detects PowerShell remote thread creation in Rundll32.exe
author: Florian Roth
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
@ -66,7 +67,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"8" AND SourceImage:"*\\\\powershell.exe" AND TargetImage:"*\\\\rundll32.exe")
(EventID:"8" AND SourceImage.keyword:*\\\\powershell.exe AND TargetImage.keyword:*\\\\rundll32.exe)
```
@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
(event_id="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md
View File

@ -19,6 +19,7 @@
```
title: Suspicious Program Location with Network Connections
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: experimental
description: Detects programs with network connections running in suspicious files system locations
references:
@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"3" AND Image:("*\\\\$Recycle.bin" "*\\\\Users\\\\All Users\\\\*" "*\\\\Users\\\\Default\\\\*" "*\\\\Users\\\\Public\\\\*" "*\\\\Users\\\\Contacts\\\\*" "*\\\\Users\\\\Searches\\\\*" "C\\:\\\\Perflogs\\\\*" "*\\\\config\\\\systemprofile\\\\*" "*\\\\Windows\\\\Fonts\\\\*" "*\\\\Windows\\\\IME\\\\*" "*\\\\Windows\\\\addins\\\\*"))
(EventID:"3" AND Image.keyword:(*\\\\$Recycle.bin *\\\\Users\\\\All Users\\\\* *\\\\Users\\\\Default\\\\* *\\\\Users\\\\Public\\\\* *\\\\Users\\\\Contacts\\\\* *\\\\Users\\\\Searches\\\\* C\\:\\\\Perflogs\\\\* *\\\\config\\\\systemprofile\\\\* *\\\\Windows\\\\Fonts\\\\* *\\\\Windows\\\\IME\\\\* *\\\\Windows\\\\addins\\\\*))
```
@ -87,7 +88,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="3" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "*\\\\Users\\\\Contacts\\\\*", "*\\\\Users\\\\Searches\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
(event_id="3" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "*\\\\Users\\\\Contacts\\\\*", "*\\\\Users\\\\Searches\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
```

22
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md
View File

@ -11,19 +11,20 @@
| Development Status | experimental |
| References | <ul><li>[https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)</li></ul> |
| Author | Markus Neis - Swisscom |
| Other Tags | <ul><li>car.2013-07-002</li><li>car.2013-07-002</li></ul> |
| Other Tags | <ul><li>car.2013-07-002</li></ul> |
## Detection Rules
### Sigma rule
```
title: Suspicious Outbound RDP Connections
title: Suspicious Outbound RDP Connections
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: experimental
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis - Swisscom
author: Markus Neis - Swisscom
date: 2019/05/15
tags:
- attack.lateral_movement
@ -35,7 +36,8 @@ logsource:
detection:
selection:
EventID: 3
DestinationPort: 3389
DestinationPort: 3389
Initiated: 'true'
filter:
Image:
- '*\mstsc.exe'
@ -71,42 +73,42 @@ level: high
### es-qs
```
((EventID:"3" AND DestinationPort:"3389") AND (NOT (Image.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))
((EventID:"3" AND DestinationPort:"3389" AND Initiated:"true") AND (NOT (Image.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Outbound-RDP-Connections <<EOF\n{\n "metadata": {\n "title": "Suspicious Outbound RDP Connections",\n "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement",\n "tags": [\n "attack.lateral_movement",\n "attack.t1210",\n "car.2013-07-002"\n ],\n "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Outbound RDP Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Outbound-RDP-Connections <<EOF\n{\n "metadata": {\n "title": "Suspicious Outbound RDP Connections",\n "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement",\n "tags": [\n "attack.lateral_movement",\n "attack.t1210",\n "car.2013-07-002"\n ],\n "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\" AND Initiated:\\"true\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\" AND Initiated:\\"true\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Outbound RDP Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND DestinationPort:"3389") AND NOT (Image:("*\\\\mstsc.exe" "*\\\\RTSApp.exe" "*\\\\RTS2App.exe" "*\\\\RDCMan.exe" "*\\\\ws_TunnelService.exe" "*\\\\RSSensor.exe" "*\\\\RemoteDesktopManagerFree.exe" "*\\\\RemoteDesktopManager.exe" "*\\\\RemoteDesktopManager64.exe" "*\\\\mRemoteNG.exe" "*\\\\mRemote.exe" "*\\\\Terminals.exe" "*\\\\spiceworks\\-finder.exe" "*\\\\FSDiscovery.exe" "*\\\\FSAssessment.exe" "*\\\\MobaRTE.exe" "*\\\\chrome.exe" "*\\\\thor.exe" "*\\\\thor64.exe")))
((EventID:"3" AND DestinationPort:"3389" AND Initiated:"true") AND (NOT (Image.keyword:(*\\\\mstsc.exe *\\\\RTSApp.exe *\\\\RTS2App.exe *\\\\RDCMan.exe *\\\\ws_TunnelService.exe *\\\\RSSensor.exe *\\\\RemoteDesktopManagerFree.exe *\\\\RemoteDesktopManager.exe *\\\\RemoteDesktopManager64.exe *\\\\mRemoteNG.exe *\\\\mRemote.exe *\\\\Terminals.exe *\\\\spiceworks\\-finder.exe *\\\\FSDiscovery.exe *\\\\FSAssessment.exe *\\\\MobaRTE.exe *\\\\chrome.exe *\\\\thor.exe *\\\\thor64.exe))))
```
### splunk
```
((EventID="3" DestinationPort="3389") NOT ((Image="*\\\\mstsc.exe" OR Image="*\\\\RTSApp.exe" OR Image="*\\\\RTS2App.exe" OR Image="*\\\\RDCMan.exe" OR Image="*\\\\ws_TunnelService.exe" OR Image="*\\\\RSSensor.exe" OR Image="*\\\\RemoteDesktopManagerFree.exe" OR Image="*\\\\RemoteDesktopManager.exe" OR Image="*\\\\RemoteDesktopManager64.exe" OR Image="*\\\\mRemoteNG.exe" OR Image="*\\\\mRemote.exe" OR Image="*\\\\Terminals.exe" OR Image="*\\\\spiceworks-finder.exe" OR Image="*\\\\FSDiscovery.exe" OR Image="*\\\\FSAssessment.exe" OR Image="*\\\\MobaRTE.exe" OR Image="*\\\\chrome.exe" OR Image="*\\\\thor.exe" OR Image="*\\\\thor64.exe")))
((EventID="3" DestinationPort="3389" Initiated="true") NOT ((Image="*\\\\mstsc.exe" OR Image="*\\\\RTSApp.exe" OR Image="*\\\\RTS2App.exe" OR Image="*\\\\RDCMan.exe" OR Image="*\\\\ws_TunnelService.exe" OR Image="*\\\\RSSensor.exe" OR Image="*\\\\RemoteDesktopManagerFree.exe" OR Image="*\\\\RemoteDesktopManager.exe" OR Image="*\\\\RemoteDesktopManager64.exe" OR Image="*\\\\mRemoteNG.exe" OR Image="*\\\\mRemote.exe" OR Image="*\\\\Terminals.exe" OR Image="*\\\\spiceworks-finder.exe" OR Image="*\\\\FSDiscovery.exe" OR Image="*\\\\FSAssessment.exe" OR Image="*\\\\MobaRTE.exe" OR Image="*\\\\chrome.exe" OR Image="*\\\\thor.exe" OR Image="*\\\\thor64.exe")))
```
### logpoint
```
((EventID="3" DestinationPort="3389") -(Image IN ["*\\\\mstsc.exe", "*\\\\RTSApp.exe", "*\\\\RTS2App.exe", "*\\\\RDCMan.exe", "*\\\\ws_TunnelService.exe", "*\\\\RSSensor.exe", "*\\\\RemoteDesktopManagerFree.exe", "*\\\\RemoteDesktopManager.exe", "*\\\\RemoteDesktopManager64.exe", "*\\\\mRemoteNG.exe", "*\\\\mRemote.exe", "*\\\\Terminals.exe", "*\\\\spiceworks-finder.exe", "*\\\\FSDiscovery.exe", "*\\\\FSAssessment.exe", "*\\\\MobaRTE.exe", "*\\\\chrome.exe", "*\\\\thor.exe", "*\\\\thor64.exe"]))
((event_id="3" DestinationPort="3389" Initiated="true") -(Image IN ["*\\\\mstsc.exe", "*\\\\RTSApp.exe", "*\\\\RTS2App.exe", "*\\\\RDCMan.exe", "*\\\\ws_TunnelService.exe", "*\\\\RSSensor.exe", "*\\\\RemoteDesktopManagerFree.exe", "*\\\\RemoteDesktopManager.exe", "*\\\\RemoteDesktopManager64.exe", "*\\\\mRemoteNG.exe", "*\\\\mRemote.exe", "*\\\\Terminals.exe", "*\\\\spiceworks-finder.exe", "*\\\\FSDiscovery.exe", "*\\\\FSAssessment.exe", "*\\\\MobaRTE.exe", "*\\\\chrome.exe", "*\\\\thor.exe", "*\\\\thor64.exe"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*3389)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\mstsc\\.exe|.*.*\\RTSApp\\.exe|.*.*\\RTS2App\\.exe|.*.*\\RDCMan\\.exe|.*.*\\ws_TunnelService\\.exe|.*.*\\RSSensor\\.exe|.*.*\\RemoteDesktopManagerFree\\.exe|.*.*\\RemoteDesktopManager\\.exe|.*.*\\RemoteDesktopManager64\\.exe|.*.*\\mRemoteNG\\.exe|.*.*\\mRemote\\.exe|.*.*\\Terminals\\.exe|.*.*\\spiceworks-finder\\.exe|.*.*\\FSDiscovery\\.exe|.*.*\\FSAssessment\\.exe|.*.*\\MobaRTE\\.exe|.*.*\\chrome\\.exe|.*.*\\thor\\.exe|.*.*\\thor64\\.exe))))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*3389)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\mstsc\\.exe|.*.*\\RTSApp\\.exe|.*.*\\RTS2App\\.exe|.*.*\\RDCMan\\.exe|.*.*\\ws_TunnelService\\.exe|.*.*\\RSSensor\\.exe|.*.*\\RemoteDesktopManagerFree\\.exe|.*.*\\RemoteDesktopManager\\.exe|.*.*\\RemoteDesktopManager64\\.exe|.*.*\\mRemoteNG\\.exe|.*.*\\mRemote\\.exe|.*.*\\Terminals\\.exe|.*.*\\spiceworks-finder\\.exe|.*.*\\FSDiscovery\\.exe|.*.*\\FSAssessment\\.exe|.*.*\\MobaRTE\\.exe|.*.*\\chrome\\.exe|.*.*\\thor\\.exe|.*.*\\thor64\\.exe))))))'
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/](https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>capec.270</li><li>capec.270</li></ul> |
| Other Tags | <ul><li>capec.270</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: experimental
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder
author: Florian Roth
@ -76,7 +77,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "C\\:\\\\ProgramData\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*"))
(EventID:"13" AND TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\ProgramData\\\\* *\\\\AppData\\\\* C\\:\\\\$Recycle.bin\\\\* C\\:\\\\Temp\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\*))
```
@ -90,7 +91,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" Details IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\ProgramData\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*"])
(event_id="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" Details IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\ProgramData\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*"])
```

30
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md
View File

@ -19,6 +19,7 @@
```
title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
@ -28,6 +29,7 @@ tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
modified: 2019/10/01
logsource:
product: windows
service: sysmon
@ -38,13 +40,17 @@ detection:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
Details:
- 'C:\Windows\Temp\\*'
- '*C:\Windows\Temp\\*'
- '*\AppData\\*'
- 'C:\$Recycle.bin\\*'
- 'C:\Temp\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- 'C:\Users\Desktop\\*'
- '%AppData%\\*'
- '*C:\$Recycle.bin\\*'
- '*C:\Temp\\*'
- '*C:\Users\Public\\*'
- '%Public%\\*'
- '*C:\Users\Default\\*'
- '*C:\Users\Desktop\\*'
- 'wscript*'
- 'cscript*'
condition: selection
fields:
- Image
@ -61,42 +67,42 @@ level: high
### es-qs
```
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Desktop\\\\*))
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/New-RUN-Key-Pointing-to-Suspicious-Folder <<EOF\n{\n "metadata": {\n "title": "New RUN Key Pointing to Suspicious Folder",\n "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",\n "tags": [\n "attack.persistence",\n "attack.t1060"\n ],\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'New RUN Key Pointing to Suspicious Folder\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nImage = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/New-RUN-Key-Pointing-to-Suspicious-Folder <<EOF\n{\n "metadata": {\n "title": "New RUN Key Pointing to Suspicious Folder",\n "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",\n "tags": [\n "attack.persistence",\n "attack.t1060"\n ],\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(*C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR %AppData%\\\\\\\\* OR *C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR *C\\\\:\\\\\\\\Temp\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR %Public%\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\* OR wscript* OR cscript*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(*C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR %AppData%\\\\\\\\* OR *C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR *C\\\\:\\\\\\\\Temp\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR %Public%\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\* OR wscript* OR cscript*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'New RUN Key Pointing to Suspicious Folder\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nImage = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*" "C\\:\\\\Users\\\\Desktop\\\\*"))
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* *\\\\AppData\\\\* %AppData%\\\\* *C\\:\\\\$Recycle.bin\\\\* *C\\:\\\\Temp\\\\* *C\\:\\\\Users\\\\Public\\\\* %Public%\\\\* *C\\:\\\\Users\\\\Default\\\\* *C\\:\\\\Users\\\\Desktop\\\\* wscript* cscript*))
```
### splunk
```
(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") (Details="C:\\\\Windows\\\\Temp\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="C:\\\\$Recycle.bin\\\\*" OR Details="C:\\\\Temp\\\\*" OR Details="C:\\\\Users\\\\Public\\\\*" OR Details="C:\\\\Users\\\\Default\\\\*" OR Details="C:\\\\Users\\\\Desktop\\\\*")) | table Image
(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") (Details="*C:\\\\Windows\\\\Temp\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="%AppData%\\\\*" OR Details="*C:\\\\$Recycle.bin\\\\*" OR Details="*C:\\\\Temp\\\\*" OR Details="*C:\\\\Users\\\\Public\\\\*" OR Details="%Public%\\\\*" OR Details="*C:\\\\Users\\\\Default\\\\*" OR Details="*C:\\\\Users\\\\Desktop\\\\*" OR Details="wscript*" OR Details="cscript*")) | table Image
```
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"] Details IN ["C:\\\\Windows\\\\Temp\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "C:\\\\Users\\\\Desktop\\\\*"])
(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"] Details IN ["*C:\\\\Windows\\\\Temp\\\\*", "*\\\\AppData\\\\*", "%AppData%\\\\*", "*C:\\\\$Recycle.bin\\\\*", "*C:\\\\Temp\\\\*", "*C:\\\\Users\\\\Public\\\\*", "%Public%\\\\*", "*C:\\\\Users\\\\Default\\\\*", "*C:\\\\Users\\\\Desktop\\\\*", "wscript*", "cscript*"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*|.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\.*))(?=.*(?:.*C:\\Windows\\Temp\\\\.*|.*.*\\AppData\\\\.*|.*C:\\\\$Recycle\\.bin\\\\.*|.*C:\\Temp\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*C:\\Users\\Desktop\\\\.*)))'
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*|.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\.*))(?=.*(?:.*.*C:\\Windows\\Temp\\\\.*|.*.*\\AppData\\\\.*|.*%AppData%\\\\.*|.*.*C:\\\\$Recycle\\.bin\\\\.*|.*.*C:\\Temp\\\\.*|.*.*C:\\Users\\Public\\\\.*|.*%Public%\\\\.*|.*.*C:\\Users\\Default\\\\.*|.*.*C:\\Users\\Desktop\\\\.*|.*wscript.*|.*cscript.*)))'
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_keyboard_layout_load.md Normal file
View File

@ -0,0 +1,98 @@
| Title | Suspicious Keyboard Layout Load |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | medium |
| False Positives | <ul><li>Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)</li></ul> |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index](https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index)</li><li>[https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files](https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth
date: 2019/10/12
modified: 2019/10/15
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
EventID: 13
TargetObject:
- '*\Keyboard Layout\Preload\*'
- '*\Keyboard Layout\Substitutes\*'
Details:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
- 0000042a # Vietnamese
condition: selection_registry
falsepositives:
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND Details:("00000429" OR "00050429" OR "0000042a"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Keyboard-Layout-Load <<EOF\n{\n "metadata": {\n "title": "Suspicious Keyboard Layout Load",\n "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only",\n "tags": "",\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Preload\\\\* OR *\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Substitutes\\\\*) AND Details:(\\"00000429\\" OR \\"00050429\\" OR \\"0000042a\\"))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Preload\\\\* OR *\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Substitutes\\\\*) AND Details:(\\"00000429\\" OR \\"00050429\\" OR \\"0000042a\\"))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Keyboard Layout Load\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject.keyword:(*\\\\Keyboard Layout\\\\Preload\\* *\\\\Keyboard Layout\\\\Substitutes\\*) AND Details:("00000429" "00050429" "0000042a"))
```
### splunk
```
(EventID="13" (TargetObject="*\\\\Keyboard Layout\\\\Preload\\*" OR TargetObject="*\\\\Keyboard Layout\\\\Substitutes\\*") (Details="00000429" OR Details="00050429" OR Details="0000042a"))
```
### logpoint
```
(event_id="13" TargetObject IN ["*\\\\Keyboard Layout\\\\Preload\\*", "*\\\\Keyboard Layout\\\\Substitutes\\*"] Details IN ["00000429", "00050429", "0000042a"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\Keyboard Layout\\Preload\\.*|.*.*\\Keyboard Layout\\Substitutes\\.*))(?=.*(?:.*00000429|.*00050429|.*0000042a)))'
```

107
Atomic_Threat_Coverage/Detection_Rules/sysmon_svchost_dll_search_order_hijack.md Normal file
View File

@ -0,0 +1,107 @@
| Title | Svchost DLL Search Order Hijack |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1038: DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038)</li><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul> |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1038: DLL Search Order Hijacking](../Triggers/T1038.md)</li><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Pentest</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992](https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992)</li></ul> |
| Author | SBousseaden |
## Detection Rules
### Sigma rule
```
title: Svchost DLL Search Order Hijack
id: 602a1f13-c640-4d73-b053-be9a2fa58b77
status: experimental
description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their
malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a
remote machine.
references:
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
author: SBousseaden
date: 2019/10/28
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1073
- attack.t1038
- attack.t1112
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\svchost.exe'
ImageLoaded:
- '*\tsmsisrv.dll'
- '*\tsvipsrv.dll'
- '*\wlbsctrl.dll'
filter:
EventID: 7
Image:
- '*\svchost.exe'
ImageLoaded:
- 'C:\Windows\WinSxS\*'
condition: selection and not filter
falsepositives:
- Pentest
level: high
```
### es-qs
```
((EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded:("C\\:\\\\Windows\\\\WinSxS\\*"))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Svchost-DLL-Search-Order-Hijack <<EOF\n{\n "metadata": {\n "title": "Svchost DLL Search Order Hijack",\n "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\\\Windows\\\\System32\\\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \\"svchost.exe -k netsvcs\\" to gain code execution on a remote machine.",\n "tags": [\n "attack.persistence",\n "attack.defense_evasion",\n "attack.t1073",\n "attack.t1038",\n "attack.t1112"\n ],\n "query": "((EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\\\\\tsmsisrv.dll OR *\\\\\\\\tsvipsrv.dll OR *\\\\\\\\wlbsctrl.dll)) AND (NOT (EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\*\\"))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\\\\\tsmsisrv.dll OR *\\\\\\\\tsvipsrv.dll OR *\\\\\\\\wlbsctrl.dll)) AND (NOT (EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\*\\"))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Svchost DLL Search Order Hijack\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\tsmsisrv.dll *\\\\tsvipsrv.dll *\\\\wlbsctrl.dll)) AND (NOT (EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded:("C\\:\\\\Windows\\\\WinSxS\\*"))))
```
### splunk
```
((EventID="7" (Image="*\\\\svchost.exe") (ImageLoaded="*\\\\tsmsisrv.dll" OR ImageLoaded="*\\\\tsvipsrv.dll" OR ImageLoaded="*\\\\wlbsctrl.dll")) NOT (EventID="7" (Image="*\\\\svchost.exe") (ImageLoaded="C:\\\\Windows\\\\WinSxS\\*")))
```
### logpoint
```
((event_id="7" Image IN ["*\\\\svchost.exe"] ImageLoaded IN ["*\\\\tsmsisrv.dll", "*\\\\tsvipsrv.dll", "*\\\\wlbsctrl.dll"]) -(event_id="7" Image IN ["*\\\\svchost.exe"] ImageLoaded IN ["C:\\\\Windows\\\\WinSxS\\*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*7)(?=.*(?:.*.*\\svchost\\.exe))(?=.*(?:.*.*\\tsmsisrv\\.dll|.*.*\\tsvipsrv\\.dll|.*.*\\wlbsctrl\\.dll))))(?=.*(?!.*(?:.*(?=.*7)(?=.*(?:.*.*\\svchost\\.exe))(?=.*(?:.*C:\\Windows\\WinSxS\\.*))))))'
```

10
Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
View File

@ -18,11 +18,11 @@
### Sigma rule
```
---
action: global
title: Usage of Sysinternals Tools
title: Usage of Sysinternals Tools
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
@ -71,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\EulaAccepted")\nCommandLine:"* \\-accepteula*"
(EventID:"13" AND TargetObject.keyword:*\\\\EulaAccepted)\nCommandLine.keyword:* \\-accepteula*
```
@ -85,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject="*\\\\EulaAccepted")\nCommandLine="* -accepteula*"
(event_id="13" TargetObject="*\\\\EulaAccepted")\n(event_id="1" CommandLine="* -accepteula*")
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md
View File

@ -18,7 +18,8 @@
### Sigma rule
```
title: Hijack legit RDP session to move laterally
title: Hijack legit RDP session to move laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: experimental
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
date: 2019/02/21
@ -59,7 +60,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"11" AND Image:"*\\\\mstsc.exe" AND TargetFileName:"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
(EventID:"11" AND Image.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*)
```
@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="11" Image="*\\\\mstsc.exe" TargetFileName="*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
(event_id="11" Image="*\\\\mstsc.exe" TargetFileName="*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)</li><li>[https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100](https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> |
| Other Tags | <ul><li>car.2019-04-001</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: experimental
description: Detects UAC bypass method using Windows event viewer
references:
@ -72,7 +73,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
((EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID:"1" AND ParentImage:"*\\\\eventvwr.exe") AND NOT (Image:"*\\\\mmc.exe")))
((EventID:"13" AND TargetObject.keyword:HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR ((EventID:"1" AND ParentImage.keyword:*\\\\eventvwr.exe) AND (NOT (Image.keyword:*\\\\mmc.exe))))
```
@ -86,7 +87,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
((EventID="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID="1" ParentImage="*\\\\eventvwr.exe") -(Image="*\\\\mmc.exe")))
((event_id="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((event_id="1" ParentImage="*\\\\eventvwr.exe") -(Image="*\\\\mmc.exe")))
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md
View File

@ -11,7 +11,7 @@
| Development Status | experimental |
| References | <ul><li>[https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/](https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/)</li></ul> |
| Author | Omer Yampel |
| Other Tags | <ul><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> |
| Other Tags | <ul><li>car.2019-04-001</li></ul> |
## Detection Rules
@ -19,6 +19,7 @@
```
title: UAC Bypass via sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
@ -65,7 +66,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
(EventID:"13" AND TargetObject.keyword:HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)
```
@ -79,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
(event_id="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
```

115
Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md Normal file
View File

@ -0,0 +1,115 @@
| Title | Windows webshell creation |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Posible webshell file creation on a static web site |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Legitimate administrator or developer creating legitimate executable files in a web application folder</li></ul> |
| Development Status | experimental |
| References | <ul><li>[PT ESC rule and personal experience](PT ESC rule and personal experience)</li></ul> |
| Author | Beyu Denis, oscd.community |
## Detection Rules
### Sigma rule
```
title: Windows webshell creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
description: Posible webshell file creation on a static web site
references:
- PT ESC rule and personal experience
author: Beyu Denis, oscd.community
date: 2019/10/22
modified: 2019/11/04
tags:
- attack.persistence
- attack.t1100
level: critical
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 11
selection_2:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_3:
TargetFilename|contains:
- '.asp'
- '.ashx'
- '.ph'
selection_4:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_5:
TargetFilename|contains: '.ph'
selection_6:
- TargetFilename|contains|all:
- '\'
- '.jsp'
- TargetFilename|contains|all:
- '\cgi-bin\'
- '.pl'
condition: selection_1 and ( selection_2 and selection_3 ) or
selection_1 and ( selection_4 and selection_5 ) or
selection_1 and selection_6
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
```
### es-qs
```
(EventID:"11" AND ((TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\cgi\\-bin\\* AND TargetFilename.keyword:*.pl*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-webshell-creation <<EOF\n{\n "metadata": {\n "title": "Windows webshell creation",\n "description": "Posible webshell file creation on a static web site",\n "tags": [\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Windows webshell creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"11" AND ((TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND TargetFilename.keyword:(*.asp* *.ashx* *.ph*)) OR (TargetFilename.keyword:(*\\\\www\\* *\\\\htdocs\\* *\\\\html\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\cgi\\-bin\\* AND TargetFilename.keyword:*.pl*)))
```
### splunk
```
(EventID="11" ((TargetFilename="*\\\\inetpub\\\\wwwroot\\*" (TargetFilename="*.asp*" OR TargetFilename="*.ashx*" OR TargetFilename="*.ph*")) OR ((TargetFilename="*\\\\www\\*" OR TargetFilename="*\\\\htdocs\\*" OR TargetFilename="*\\\\html\\*") TargetFilename="*.ph*") OR (TargetFilename="*\\*" TargetFilename="*.jsp*") OR (TargetFilename="*\\\\cgi-bin\\*" TargetFilename="*.pl*")))
```
### logpoint
```
(event_id="11" ((TargetFilename="*\\\\inetpub\\\\wwwroot\\*" TargetFilename IN ["*.asp*", "*.ashx*", "*.ph*"]) OR (TargetFilename IN ["*\\\\www\\*", "*\\\\htdocs\\*", "*\\\\html\\*"] TargetFilename="*.ph*") OR (TargetFilename="*\\*" TargetFilename="*.jsp*") OR (TargetFilename="*\\\\cgi-bin\\*" TargetFilename="*.pl*")))
```
### grep
```
grep -P '^(?:.*(?=.*11)(?=.*(?:.*(?:.*(?:.*(?=.*.*\\inetpub\\wwwroot\\.*)(?=.*(?:.*.*\\.asp.*|.*.*\\.ashx.*|.*.*\\.ph.*)))|.*(?:.*(?=.*(?:.*.*\\www\\.*|.*.*\\htdocs\\.*|.*.*\\html\\.*))(?=.*.*\\.ph.*))|.*(?:.*(?=.*.*\\.*)(?=.*.*\\.jsp.*))|.*(?:.*(?=.*.*\\cgi-bin\\.*)(?=.*.*\\.pl.*))))))'
```

14
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md
View File

@ -19,6 +19,7 @@
```
title: Microsoft Binary Github Communication
id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
status: experimental
description: Detects an executable in the Windows folder accessing github.com
references:
@ -34,6 +35,7 @@ logsource:
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationHostname:
- '*.github.com'
- '*.githubusercontent.com'
@ -54,42 +56,42 @@ level: high
### es-qs
```
(EventID:"3" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Github-Communication <<EOF\n{\n "metadata": {\n "title": "Microsoft Binary Github Communication",\n "description": "Detects an executable in the Windows folder accessing github.com",\n "tags": [\n "attack.lateral_movement",\n "attack.t1105"\n ],\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Microsoft Binary Github Communication\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Github-Communication <<EOF\n{\n "metadata": {\n "title": "Microsoft Binary Github Communication",\n "description": "Detects an executable in the Windows folder accessing github.com",\n "tags": [\n "attack.lateral_movement",\n "attack.t1105"\n ],\n "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Microsoft Binary Github Communication\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND DestinationHostname:("*.github.com" "*.githubusercontent.com") AND Image:"C\\:\\\\Windows\\\\*")
(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*.github.com *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
```
### splunk
```
(EventID="3" (DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
(EventID="3" Initiated="true" (DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
```
### logpoint
```
(EventID="3" DestinationHostname IN ["*.github.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
(event_id="3" Initiated="true" DestinationHostname IN ["*.github.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*\\.github\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
grep -P '^(?:.*(?=.*3)(?=.*true)(?=.*(?:.*.*\\.github\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
```

14
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md
View File

@ -19,6 +19,7 @@
```
title: Microsoft Binary Suspicious Communication Endpoint
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
status: experimental
description: Detects an executable in the Windows folder accessing suspicious domains
references:
@ -35,6 +36,7 @@ logsource:
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationHostname:
- '*dl.dropboxusercontent.com'
- '*.pastebin.com'
@ -55,42 +57,42 @@ level: high
### es-qs
```
(EventID:"3" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Suspicious-Communication-Endpoint <<EOF\n{\n "metadata": {\n "title": "Microsoft Binary Suspicious Communication Endpoint",\n "description": "Detects an executable in the Windows folder accessing suspicious domains",\n "tags": [\n "attack.lateral_movement",\n "attack.t1105"\n ],\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Microsoft Binary Suspicious Communication Endpoint\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Suspicious-Communication-Endpoint <<EOF\n{\n "metadata": {\n "title": "Microsoft Binary Suspicious Communication Endpoint",\n "description": "Detects an executable in the Windows folder accessing suspicious domains",\n "tags": [\n "attack.lateral_movement",\n "attack.t1105"\n ],\n "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Microsoft Binary Suspicious Communication Endpoint\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND DestinationHostname:("*dl.dropboxusercontent.com" "*.pastebin.com" "*.githubusercontent.com") AND Image:"C\\:\\\\Windows\\\\*")
(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com *.pastebin.com *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
```
### splunk
```
(EventID="3" (DestinationHostname="*dl.dropboxusercontent.com" OR DestinationHostname="*.pastebin.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
(EventID="3" Initiated="true" (DestinationHostname="*dl.dropboxusercontent.com" OR DestinationHostname="*.pastebin.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
```
### logpoint
```
(EventID="3" DestinationHostname IN ["*dl.dropboxusercontent.com", "*.pastebin.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
(event_id="3" Initiated="true" DestinationHostname IN ["*dl.dropboxusercontent.com", "*.pastebin.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*dl\\.dropboxusercontent\\.com|.*.*\\.pastebin\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
grep -P '^(?:.*(?=.*3)(?=.*true)(?=.*(?:.*.*dl\\.dropboxusercontent\\.com|.*.*\\.pastebin\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
```

19
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md
View File

@ -11,7 +11,7 @@
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/)</li></ul> |
| Author | Karneades |
| Other Tags | <ul><li>car.2013-01-002</li><li>car.2013-01-002</li></ul> |
| Other Tags | <ul><li>car.2013-01-002</li></ul> |
## Detection Rules
@ -19,22 +19,23 @@
```
title: Registry Persistence Mechanisms
description: Detects persistence registry keys
id: 36803969-5421-41ec-b92f-8500f79c23b0
description: Detects persistence registry keys
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
author: Karneades
logsource:
product: windows
service: sysmon
product: windows
service: sysmon
detection:
selection_reg1:
EventID: 13
TargetObject:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
EventType: 'SetValue'
EventType: SetValue
condition: selection_reg1
tags:
- attack.privilege_escalation
@ -69,7 +70,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess") AND EventType:"SetValue")
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND EventType:"SetValue")
```
@ -83,7 +84,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess"] EventType="SetValue")
(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess"] EventType="SetValue")
```

5
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
View File

@ -3,7 +3,7 @@
| Description | Detects creation of WMI event subscription persistence method |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul> |
| Data Needed | <ul><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](../Triggers/T1084.md)</li></ul> |
| Severity Level | high |
@ -19,6 +19,7 @@
```
title: WMI Event Subscription
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: experimental
description: Detects creation of WMI event subscription persistence method
references:
@ -79,7 +80,7 @@ EventID:("19" "20" "21")
### logpoint
```
EventID IN ["19", "20", "21"]
event_id IN ["19", "20", "21"]
```

3
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_commandline_event_consumer.md
View File

@ -19,6 +19,7 @@
```
title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: experimental
description: Detects WMI command line event consumers
references:
@ -78,7 +79,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="7" Image="C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe" ImageLoaded="wbemcons.dll")
(event_id="7" Image="C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe" ImageLoaded="wbemcons.dll")
```

3
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_script_event_consumer_write.md
View File

@ -19,6 +19,7 @@
```
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: experimental
description: Detects file writes of WMI script event consumer
references:
@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="11" Image="C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe")
(event_id="11" Image="C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe")
```

7
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
View File

@ -19,8 +19,9 @@
```
title: Suspicious Scripting in a WMI Consumer
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
status: experimental
description: Detects suspicious scripting in WMI Event Consumers
description: Detects suspicious scripting in WMI Event Consumers
author: Florian Roth
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### graylog
```
(EventID:"20" AND Destination:("*new\\-object system.net.webclient\\).downloadstring\\(*" "*new\\-object system.net.webclient\\).downloadfile\\(*" "*new\\-object net.webclient\\).downloadstring\\(*" "*new\\-object net.webclient\\).downloadfile\\(*" "* iex\\(*" "*WScript.shell*" "* \\-nop *" "* \\-noprofile *" "* \\-decode *" "* \\-enc *"))
(EventID:"20" AND Destination.keyword:(*new\\-object system.net.webclient\\).downloadstring\\(* *new\\-object system.net.webclient\\).downloadfile\\(* *new\\-object net.webclient\\).downloadstring\\(* *new\\-object net.webclient\\).downloadfile\\(* * iex\\(* *WScript.shell* * \\-nop * * \\-noprofile * * \\-decode * * \\-enc *))
```
@ -91,7 +92,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
### logpoint
```
(EventID="20" Destination IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*", "*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"])
(event_id="20" Destination IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*", "*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"])
```

35
Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
View File

@ -49,6 +49,27 @@ level: high
### es-qs
```
(EventID:"5145" AND ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Persistence-and-Execution-at-scale-via-GPO-scheduled-task <<EOF\n{\n "metadata": {\n "title": "Persistence and Execution at scale via GPO scheduled task",\n "description": "Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale",\n "tags": [\n "attack.persistence",\n "attack.lateral_movement",\n "attack.t1053"\n ],\n "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Persistence and Execution at scale via GPO scheduled task\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"5145" AND ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
```
### splunk
```
@ -56,4 +77,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\SYSVOL" RelativeTargetName="*ScheduledTasks.xml" Accesses="*WriteData*")
```
### grep
```
grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\SYSVOL)(?=.*.*ScheduledTasks\\.xml)(?=.*.*WriteData.*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
View File

@ -52,6 +52,27 @@ level: critical
### es-qs
```
(EventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Powerview-Add-DomainObjectAcl-DCSync-AD-Extend-Right <<EOF\n{\n "metadata": {\n "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right",\n "description": "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer",\n "tags": [\n "attack.credential_access",\n "attack.persistence"\n ],\n "query": "(EventID:\\"5136\\" AND LDAPDisplayName:\\"ntSecurityDescriptor\\" AND Value.keyword:(*1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2* OR *1131f6aa\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"5136\\" AND LDAPDisplayName:\\"ntSecurityDescriptor\\" AND Value.keyword:(*1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2* OR *1131f6aa\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Powerview Add-DomainObjectAcl DCSync AD Extend Right\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*))
```
### splunk
```
@ -59,4 +80,18 @@ level: critical
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="5136" LDAPDisplayName="ntSecurityDescriptor" Value IN ["*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"])
```
### grep
```
grep -P '^(?:.*(?=.*5136)(?=.*ntSecurityDescriptor)(?=.*(?:.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*)))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
View File

@ -60,6 +60,27 @@ level: high
### es-qs
```
(EventID:"4661" AND ObjectType:("SAM_USER" OR "SAM_GROUP") AND ObjectName.keyword:(*\\-512 OR *\\-502 OR *\\-500 OR *\\-505 OR *\\-519 OR *\\-520 OR *\\-544 OR *\\-551 OR *\\-555 OR *admin*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/AD-Privileged-Users-or-Groups-Reconnaissance <<EOF\n{\n "metadata": {\n "title": "AD Privileged Users or Groups Reconnaissance",\n "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs",\n "tags": [\n "attack.discovery",\n "attack.t1087"\n ],\n "query": "(EventID:\\"4661\\" AND ObjectType:(\\"SAM_USER\\" OR \\"SAM_GROUP\\") AND ObjectName.keyword:(*\\\\-512 OR *\\\\-502 OR *\\\\-500 OR *\\\\-505 OR *\\\\-519 OR *\\\\-520 OR *\\\\-544 OR *\\\\-551 OR *\\\\-555 OR *admin*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4661\\" AND ObjectType:(\\"SAM_USER\\" OR \\"SAM_GROUP\\") AND ObjectName.keyword:(*\\\\-512 OR *\\\\-502 OR *\\\\-500 OR *\\\\-505 OR *\\\\-519 OR *\\\\-520 OR *\\\\-544 OR *\\\\-551 OR *\\\\-555 OR *admin*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'AD Privileged Users or Groups Reconnaissance\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4661" AND ObjectType:("SAM_USER" "SAM_GROUP") AND ObjectName.keyword:(*\\-512 *\\-502 *\\-500 *\\-505 *\\-519 *\\-520 *\\-544 *\\-551 *\\-555 *admin*))
```
### splunk
```
@ -67,4 +88,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="4661" ObjectType IN ["SAM_USER", "SAM_GROUP"] ObjectName IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"])
```
### grep
```
grep -P '^(?:.*(?=.*4661)(?=.*(?:.*SAM_USER|.*SAM_GROUP))(?=.*(?:.*.*-512|.*.*-502|.*.*-500|.*.*-505|.*.*-519|.*.*-520|.*.*-544|.*.*-551|.*.*-555|.*.*admin.*)))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
View File

@ -50,6 +50,27 @@ level: low
### es-qs
```
(EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName.keyword:Admin\\-*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Admin-User-Remote-Logon <<EOF\n{\n "metadata": {\n "title": "Admin User Remote Logon",\n "description": "Detect remote login by Administrator user depending on internal pattern",\n "tags": [\n "attack.lateral_movement",\n "attack.t1078",\n "car.2016-04-005"\n ],\n "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND AuthenticationPackageName:\\"Negotiate\\" AND AccountName.keyword:Admin\\\\-*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND AuthenticationPackageName:\\"Negotiate\\" AND AccountName.keyword:Admin\\\\-*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Admin User Remote Logon\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName.keyword:Admin\\-*)
```
### splunk
```
@ -57,4 +78,18 @@ level: low
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="10" AuthenticationPackageName="Negotiate" AccountName="Admin-*")
```
### grep
```
grep -P '^(?:.*(?=.*4624)(?=.*10)(?=.*Negotiate)(?=.*Admin-.*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
View File

@ -47,6 +47,27 @@ level: low
### es-qs
```
((EventID:"5140" AND ShareName:"Admin$") AND (NOT (SubjectUserName.keyword:*$)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Access-to-ADMIN$-Share <<EOF\n{\n "metadata": {\n "title": "Access to ADMIN$ Share",\n "description": "Detects access to $ADMIN share",\n "tags": [\n "attack.lateral_movement",\n "attack.t1077"\n ],\n "query": "((EventID:\\"5140\\" AND ShareName:\\"Admin$\\") AND (NOT (SubjectUserName.keyword:*$)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"5140\\" AND ShareName:\\"Admin$\\") AND (NOT (SubjectUserName.keyword:*$)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Access to ADMIN$ Share\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"5140" AND ShareName:"Admin$") AND (NOT (SubjectUserName.keyword:*$)))
```
### splunk
```
@ -54,4 +75,18 @@ level: low
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" (event_id="5140" ShareName="Admin$") -(SubjectUserName="*$"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*5140)(?=.*Admin\\$)))(?=.*(?!.*(?:.*(?=.*.*\\$)))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
View File

@ -48,6 +48,27 @@ level: high
### es-qs
```
(EventID:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Enabled-User-Right-in-AD-to-Control-User-Objects <<EOF\n{\n "metadata": {\n "title": "Enabled User Right in AD to Control User Objects",\n "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.",\n "tags": [\n "attack.privilege_escalation",\n "attack.t1078"\n ],\n "query": "(EventID:\\"4704\\" AND Message.keyword:(*SeEnableDelegationPrivilege*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4704\\" AND Message.keyword:(*SeEnableDelegationPrivilege*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Enabled User Right in AD to Control User Objects\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
```
### splunk
```
@ -55,4 +76,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="4704" Message IN ["*SeEnableDelegationPrivilege*"])
```
### grep
```
grep -P '^(?:.*(?=.*4704)(?=.*(?:.*.*SeEnableDelegationPrivilege.*)))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
View File

@ -63,6 +63,27 @@ level: high
### es-qs
```
((((EventID:"4738" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:"\\-")))) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToDelegateTo")) OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName")) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToActOnBehalfOfOtherIdentity"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Active-Directory-User-Backdoors <<EOF\n{\n "metadata": {\n "title": "Active Directory User Backdoors",\n "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",\n "tags": [\n "attack.t1098",\n "attack.credential_access",\n "attack.persistence"\n ],\n "query": "((((EventID:\\"4738\\" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:\\"\\\\-\\")))) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToDelegateTo\\")) OR (EventID:\\"5136\\" AND ObjectClass:\\"user\\" AND AttributeLDAPDisplayName:\\"servicePrincipalName\\")) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToActOnBehalfOfOtherIdentity\\"))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((((EventID:\\"4738\\" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:\\"\\\\-\\")))) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToDelegateTo\\")) OR (EventID:\\"5136\\" AND ObjectClass:\\"user\\" AND AttributeLDAPDisplayName:\\"servicePrincipalName\\")) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToActOnBehalfOfOtherIdentity\\"))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Active Directory User Backdoors\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((((EventID:"4738" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:"\\-")))) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToDelegateTo")) OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName")) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToActOnBehalfOfOtherIdentity"))
```
### splunk
```
@ -70,4 +91,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" ((((event_source="Microsoft-Windows-Security-Auditing" event_id="4738" -((-AllowedToDelegateTo=*) OR (AllowedToDelegateTo="-"))) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToDelegateTo")) OR (event_id="5136" ObjectClass="user" AttributeLDAPDisplayName="servicePrincipalName")) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToActOnBehalfOfOtherIdentity")))
```
### grep
```
grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?:.*(?:.*(?=.*(?!AllowedToDelegateTo)))|.*(?:.*(?=.*-)))))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToDelegateTo))))|.*(?:.*(?=.*5136)(?=.*user)(?=.*servicePrincipalName))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToActOnBehalfOfOtherIdentity))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
View File

@ -54,6 +54,27 @@ level: high
### es-qs
```
(EventID:"4738" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Weak-Encryption-Enabled-and-Kerberoast <<EOF\n{\n "metadata": {\n "title": "Weak Encryption Enabled and Kerberoast",\n "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.",\n "tags": [\n "attack.defense_evasion",\n "attack.t1089"\n ],\n "query": "(EventID:\\"4738\\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4738\\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Weak Encryption Enabled and Kerberoast\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4738" AND Message.keyword:(*DES* *Preauth* *Encrypted*) AND Message.keyword:(*Enabled*))
```
### splunk
```
@ -61,4 +82,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="4738" Message IN ["*DES*", "*Preauth*", "*Encrypted*"] Message IN ["*Enabled*"])
```
### grep
```
grep -P '^(?:.*(?=.*4738)(?=.*(?:.*.*DES.*|.*.*Preauth.*|.*.*Encrypted.*))(?=.*(?:.*.*Enabled.*)))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
View File

@ -49,6 +49,27 @@ level: high
### es-qs
```
(EventID:"1121" AND Path.keyword:*\\\\lsass.exe)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/LSASS-Access-Detected-via-Attack-Surface-Reduction <<EOF\n{\n "metadata": {\n "title": "LSASS Access Detected via Attack Surface Reduction",\n "description": "Detects Access to LSASS Process",\n "tags": [\n "attack.credential_access",\n "attack.t1003"\n ],\n "query": "(EventID:\\"1121\\" AND Path.keyword:*\\\\\\\\lsass.exe)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"1121\\" AND Path.keyword:*\\\\\\\\lsass.exe)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'LSASS Access Detected via Attack Surface Reduction\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"1121" AND Path.keyword:*\\\\lsass.exe)
```
### splunk
```
@ -56,4 +77,18 @@ level: high
```
### logpoint
```
(event_id="1121" Path="*\\\\lsass.exe")
```
### grep
```
grep -P '^(?:.*(?=.*1121)(?=.*.*\\lsass\\.exe))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
View File

@ -59,6 +59,27 @@ level: critical
### es-qs
```
Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ 3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mimikatz-Use <<EOF\n{\n "metadata": {\n "title": "Mimikatz Use",\n "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)",\n "tags": [\n "attack.s0002",\n "attack.t1003",\n "attack.lateral_movement",\n "attack.credential_access",\n "car.2013-07-001",\n "car.2019-04-004"\n ],\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Mimikatz Use\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(* mimikatz * * mimilib * * 3 eo.oe * * eo.oe.kiwi * * privilege\\:\\:debug * * sekurlsa\\:\\:logonpasswords * * lsadump\\:\\:sam * * mimidrv.sys * * p\\:\\:d * * s\\:\\:l *)
```
### splunk
```
@ -66,4 +87,18 @@ level: critical
```
### logpoint
```
Message IN ["* mimikatz *", "* mimilib *", "* <3 eo.oe *", "* eo.oe.kiwi *", "* privilege::debug *", "* sekurlsa::logonpasswords *", "* lsadump::sam *", "* mimidrv.sys *", "* p::d *", "* s::l *"]
```
### grep
```
grep -P '^(?:.*.* mimikatz .*|.*.* mimilib .*|.*.* <3 eo\\.oe .*|.*.* eo\\.oe\\.kiwi .*|.*.* privilege::debug .*|.*.* sekurlsa::logonpasswords .*|.*.* lsadump::sam .*|.*.* mimidrv\\.sys .*|.*.* p::d .*|.*.* s::l .*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
View File

@ -61,6 +61,27 @@ level: high
### es-qs
```
((EventID:("4776") AND Workstation:"RULER") OR (EventID:("4624" OR "4625") AND WorkstationName:"RULER"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Hacktool-Ruler <<EOF\n{\n "metadata": {\n "title": "Hacktool Ruler",\n "description": "This events that are generated when using the hacktool Ruler by Sensepost",\n "tags": [\n "attack.discovery",\n "attack.execution",\n "attack.t1087",\n "attack.t1075",\n "attack.t1114",\n "attack.t1059"\n ],\n "query": "((EventID:(\\"4776\\") AND Workstation:\\"RULER\\") OR (EventID:(\\"4624\\" OR \\"4625\\") AND WorkstationName:\\"RULER\\"))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:(\\"4776\\") AND Workstation:\\"RULER\\") OR (EventID:(\\"4624\\" OR \\"4625\\") AND WorkstationName:\\"RULER\\"))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Hacktool Ruler\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:("4776") AND Workstation:"RULER") OR (EventID:("4624" "4625") AND WorkstationName:"RULER"))
```
### splunk
```
@ -68,4 +89,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" ((event_id IN ["4776"] Workstation="RULER") OR (event_id IN ["4624", "4625"] WorkstationName="RULER")))
```
### grep
```
grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*4776))(?=.*RULER))|.*(?:.*(?=.*(?:.*4624|.*4625))(?=.*RULER))))'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1117: Regsvr32](../Triggers/T1117.md)</li></ul> |
| Severity Level | critical |
@ -48,6 +48,27 @@ level: critical
### es-qs
```
CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/BlueMashroom-DLL-Load <<EOF\n{\n "metadata": {\n "title": "BlueMashroom DLL Load",\n "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report",\n "tags": [\n "attack.defense_evasion",\n "attack.t1117"\n ],\n "query": "CommandLine.keyword:(*\\\\\\\\regsvr32*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*,DllEntry*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:(*\\\\\\\\regsvr32*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*,DllEntry*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'BlueMashroom DLL Load\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* *\\\\AppData\\\\Local\\\\*,DllEntry*)
```
### splunk
```
@ -55,4 +76,18 @@ level: critical
```
### logpoint
```
(event_id="1" CommandLine IN ["*\\\\regsvr32*\\\\AppData\\\\Local\\\\*", "*\\\\AppData\\\\Local\\\\*,DllEntry*"])
```
### grep
```
grep -P '^(?:.*.*\\regsvr32.*\\AppData\\Local\\\\.*|.*.*\\AppData\\Local\\\\.*,DllEntry.*)'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
View File

@ -3,7 +3,7 @@
| Description | Detects specific process parameters as used by Mustang Panda droppers |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
@ -56,6 +56,27 @@ level: high
### es-qs
```
(CommandLine.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\"\\ \\/F OR *\\/tn\\ \\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR Image.keyword:(*Temp\\\\winwsh.exe))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mustang-Panda-Dropper <<EOF\n{\n "metadata": {\n "title": "Mustang Panda Dropper",\n "description": "Detects specific process parameters as used by Mustang Panda droppers",\n "tags": "",\n "query": "(CommandLine.keyword:(*Temp\\\\\\\\wtask.exe\\\\ \\\\/create* OR *%windir\\\\:\\\\~\\\\-3,1%%PUBLIC\\\\:\\\\~\\\\-9,1%* OR *\\\\/E\\\\:vbscript\\\\ *\\\\ C\\\\:\\\\\\\\Users\\\\*.txt\\\\\\"\\\\ \\\\/F OR *\\\\/tn\\\\ \\\\\\"Security\\\\ Script\\\\ * OR *%windir\\\\:\\\\~\\\\-1,1%*) OR Image.keyword:(*Temp\\\\\\\\winwsh.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(CommandLine.keyword:(*Temp\\\\\\\\wtask.exe\\\\ \\\\/create* OR *%windir\\\\:\\\\~\\\\-3,1%%PUBLIC\\\\:\\\\~\\\\-9,1%* OR *\\\\/E\\\\:vbscript\\\\ *\\\\ C\\\\:\\\\\\\\Users\\\\*.txt\\\\\\"\\\\ \\\\/F OR *\\\\/tn\\\\ \\\\\\"Security\\\\ Script\\\\ * OR *%windir\\\\:\\\\~\\\\-1,1%*) OR Image.keyword:(*Temp\\\\\\\\winwsh.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Mustang Panda Dropper\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(CommandLine.keyword:(*Temp\\\\wtask.exe \\/create* *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* *\\/E\\:vbscript * C\\:\\\\Users\\*.txt\\" \\/F *\\/tn \\"Security Script * *%windir\\:\\~\\-1,1%*) OR Image.keyword:(*Temp\\\\winwsh.exe))
```
### splunk
```
@ -63,4 +84,18 @@ level: high
```
### logpoint
```
(event_id="1" (CommandLine IN ["*Temp\\\\wtask.exe /create*", "*%windir:~-3,1%%PUBLIC:~-9,1%*", "*/E:vbscript * C:\\\\Users\\*.txt\\" /F", "*/tn \\"Security Script *", "*%windir:~-1,1%*"] OR Image IN ["*Temp\\\\winwsh.exe"]))
```
### grep
```
grep -P \'^(?:.*(?:.*(?:.*.*Temp\\wtask\\.exe /create.*|.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*|.*.*/E:vbscript .* C:\\Users\\.*\\.txt" /F|.*.*/tn "Security Script .*|.*.*%windir:~-1,1%.*)|.*(?:.*.*Temp\\winwsh\\.exe)))\'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
View File

@ -51,6 +51,27 @@ level: medium
### es-qs
```
(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Remote-Task-Creation-via-ATSVC-named-pipe <<EOF\n{\n "metadata": {\n "title": "Remote Task Creation via ATSVC named pipe",\n "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe",\n "tags": [\n "attack.lateral_movement",\n "attack.persistence",\n "attack.t1053",\n "car.2013-05-004",\n "car.2015-04-001"\n ],\n "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"atsvc\\" AND Accesses.keyword:*WriteData*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"atsvc\\" AND Accesses.keyword:*WriteData*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Remote Task Creation via ATSVC named pipe\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
```
### splunk
```
@ -58,4 +79,18 @@ level: medium
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName="atsvc" Accesses="*WriteData*")
```
### grep
```
grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*atsvc)(?=.*.*WriteData.*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
View File

@ -56,6 +56,27 @@ level: low
### es-qs
```
((Image.keyword:*\\\\attrib.exe AND CommandLine.keyword:*\\ \\+h\\ *) AND (NOT ((CommandLine.keyword:*\\\\desktop.ini\\ * OR (ParentImage.keyword:*\\\\cmd.exe AND CommandLine.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Hiding-files-with-attrib.exe <<EOF\n{\n "metadata": {\n "title": "Hiding files with attrib.exe",\n "description": "Detects usage of attrib.exe to hide files from users.",\n "tags": [\n "attack.defense_evasion",\n "attack.persistence",\n "attack.t1158"\n ],\n "query": "((Image.keyword:*\\\\\\\\attrib.exe AND CommandLine.keyword:*\\\\ \\\\+h\\\\ *) AND (NOT ((CommandLine.keyword:*\\\\\\\\desktop.ini\\\\ * OR (ParentImage.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:\\\\+R\\\\ \\\\+H\\\\ \\\\+S\\\\ \\\\+A\\\\ \\\\\\\\*.cui AND ParentCommandLine.keyword:C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\*.bat)))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Image.keyword:*\\\\\\\\attrib.exe AND CommandLine.keyword:*\\\\ \\\\+h\\\\ *) AND (NOT ((CommandLine.keyword:*\\\\\\\\desktop.ini\\\\ * OR (ParentImage.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:\\\\+R\\\\ \\\\+H\\\\ \\\\+S\\\\ \\\\+A\\\\ \\\\\\\\*.cui AND ParentCommandLine.keyword:C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\*.bat)))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Hiding files with attrib.exe\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((Image.keyword:*\\\\attrib.exe AND CommandLine.keyword:* \\+h *) AND (NOT ((CommandLine.keyword:*\\\\desktop.ini * OR (ParentImage.keyword:*\\\\cmd.exe AND CommandLine.keyword:\\+R \\+H \\+S \\+A \\\\*.cui AND ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))
```
### splunk
```
@ -63,4 +84,18 @@ level: low
```
### logpoint
```
(event_id="1" (Image="*\\\\attrib.exe" CommandLine="* +h *") -((event_id="1" (CommandLine="*\\\\desktop.ini *" OR (ParentImage="*\\\\cmd.exe" CommandLine="+R +H +S +A \\\\*.cui" ParentCommandLine="C:\\\\WINDOWS\\\\system32\\\\*.bat")))))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\attrib\\.exe)(?=.*.* \\+h .*)))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\desktop\\.ini .*|.*(?:.*(?=.*.*\\cmd\\.exe)(?=.*\\+R \\+H \\+S \\+A \\\\.*\\.cui)(?=.*C:\\WINDOWS\\system32\\\\.*\\.bat))))))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
View File

@ -63,6 +63,27 @@ level: high
### es-qs
```
(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\/Backdoor* OR *JSP\\/Backdoor* OR *PHP\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Relevant-Anti-Virus-Event <<EOF\n{\n "metadata": {\n "title": "Relevant Anti-Virus Event",\n "description": "This detection method points out highly relevant Antivirus events",\n "tags": "",\n "query": "(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\\\/Backdoor* OR *JSP\\\\/Backdoor* OR *PHP\\\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\\\/Backdoor* OR *JSP\\\\/Backdoor* OR *PHP\\\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Relevant Anti-Virus Event\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(Message.keyword:(*HTool* *Hacktool* *ASP\\/Backdoor* *JSP\\/Backdoor* *PHP\\/Backdoor* *Backdoor.ASP* *Backdoor.JSP* *Backdoor.PHP* *Webshell* *Portscan* *Mimikatz* *WinCred* *PlugX* *Korplug* *Pwdump* *Chopper* *WmiExec* *Xscan* *Clearlog* *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* *Crack*))))
```
### splunk
```
@ -70,4 +91,18 @@ level: high
```
### logpoint
```
(Message IN ["*HTool*", "*Hacktool*", "*ASP/Backdoor*", "*JSP/Backdoor*", "*PHP/Backdoor*", "*Backdoor.ASP*", "*Backdoor.JSP*", "*Backdoor.PHP*", "*Webshell*", "*Portscan*", "*Mimikatz*", "*WinCred*", "*PlugX*", "*Korplug*", "*Pwdump*", "*Chopper*", "*WmiExec*", "*Xscan*", "*Clearlog*", "*ASPXSpy*"] -(Message IN ["*Keygen*", "*Crack*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*.*HTool.*|.*.*Hacktool.*|.*.*ASP/Backdoor.*|.*.*JSP/Backdoor.*|.*.*PHP/Backdoor.*|.*.*Backdoor\\.ASP.*|.*.*Backdoor\\.JSP.*|.*.*Backdoor\\.PHP.*|.*.*Webshell.*|.*.*Portscan.*|.*.*Mimikatz.*|.*.*WinCred.*|.*.*PlugX.*|.*.*Korplug.*|.*.*Pwdump.*|.*.*Chopper.*|.*.*WmiExec.*|.*.*Xscan.*|.*.*Clearlog.*|.*.*ASPXSpy.*))(?=.*(?!.*(?:.*(?=.*(?:.*.*Keygen.*|.*.*Crack.*))))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
View File

@ -60,6 +60,27 @@ detection:
### es-qs
```
((Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(wmic\\ *\\ *format\\:\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (Imphash:("1B1A3F43BF37B5BFE60751F2EE2F326E" OR "37777A96245A3C74EB217308F3546F4C" OR "9D87C9D67CE724033C0B40CC4CA1B206") AND CommandLine.keyword:(*\\ *format\\:\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/SquiblyTwo <<EOF\n{\n "metadata": {\n "title": "SquiblyTwo",\n "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash",\n "tags": [\n "attack.defense_evasion",\n "attack.t1047"\n ],\n "query": "((Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(wmic\\\\ *\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR wmic\\\\ *\\\\ \\\\/format\\\\:\'http OR wmic\\\\ *\\\\ \\\\/format\\\\:http*)) OR (Imphash:(\\"1B1A3F43BF37B5BFE60751F2EE2F326E\\" OR \\"37777A96245A3C74EB217308F3546F4C\\" OR \\"9D87C9D67CE724033C0B40CC4CA1B206\\") AND CommandLine.keyword:(*\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR *\\\\ \\\\/format\\\\:\'http OR *\\\\ \\\\/format\\\\:http*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(wmic\\\\ *\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR wmic\\\\ *\\\\ \\\\/format\\\\:\'http OR wmic\\\\ *\\\\ \\\\/format\\\\:http*)) OR (Imphash:(\\"1B1A3F43BF37B5BFE60751F2EE2F326E\\" OR \\"37777A96245A3C74EB217308F3546F4C\\" OR \\"9D87C9D67CE724033C0B40CC4CA1B206\\") AND CommandLine.keyword:(*\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR *\\\\ \\\\/format\\\\:\'http OR *\\\\ \\\\/format\\\\:http*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'SquiblyTwo\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(wmic * *format\\:\\\\\\"http* wmic * \\/format\\:\'http wmic * \\/format\\:http*)) OR (Imphash:("1B1A3F43BF37B5BFE60751F2EE2F326E" "37777A96245A3C74EB217308F3546F4C" "9D87C9D67CE724033C0B40CC4CA1B206") AND CommandLine.keyword:(* *format\\:\\\\\\"http* * \\/format\\:\'http * \\/format\\:http*)))
```
### splunk
```
@ -67,4 +88,18 @@ detection:
```
### logpoint
```
(event_id="1" ((Image IN ["*\\\\wmic.exe"] CommandLine IN ["wmic * *format:\\\\\\"http*", "wmic * /format:\'http", "wmic * /format:http*"]) OR (Imphash IN ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] CommandLine IN ["* *format:\\\\\\"http*", "* /format:\'http", "* /format:http*"])))
```
### grep
```
grep -P \'^(?:.*(?:.*(?:.*(?=.*(?:.*.*\\wmic\\.exe))(?=.*(?:.*wmic .* .*format:\\"http.*|.*wmic .* /format:\'"\'"\'http|.*wmic .* /format:http.*)))|.*(?:.*(?=.*(?:.*1B1A3F43BF37B5BFE60751F2EE2F326E|.*37777A96245A3C74EB217308F3546F4C|.*9D87C9D67CE724033C0B40CC4CA1B206))(?=.*(?:.*.* .*format:\\"http.*|.*.* /format:\'"\'"\'http|.*.* /format:http.*)))))\'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
View File

@ -60,6 +60,27 @@ tags:
### es-qs
```
(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*assoc*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Change-Default-File-Association <<EOF\n{\n "metadata": {\n "title": "Change Default File Association",\n "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.",\n "tags": [\n "attack.persistence",\n "attack.t1042"\n ],\n "query": "(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*assoc*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*assoc*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Change Default File Association\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n Image = {{_source.Image}}\\n CommandLine = {{_source.CommandLine}}\\n User = {{_source.User}}\\n LogonGuid = {{_source.LogonGuid}}\\n Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*assoc*)
```
### splunk
```
@ -67,4 +88,18 @@ tags:
```
### logpoint
```
(event_id="1" CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*assoc*")
```
### grep
```
grep -P '^(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*assoc.*))'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
View File

@ -3,7 +3,7 @@
| Description | Detects usage of cmdkey to look for cached credentials |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | low |
@ -51,6 +51,27 @@ level: low
### es-qs
```
(Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:*\\ \\/list\\ *)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Cmdkey-Cached-Credentials-Recon <<EOF\n{\n "metadata": {\n "title": "Cmdkey Cached Credentials Recon",\n "description": "Detects usage of cmdkey to look for cached credentials",\n "tags": [\n "attack.credential_access",\n "attack.t1003"\n ],\n "query": "(Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\ \\\\/list\\\\ *)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\ \\\\/list\\\\ *)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Cmdkey Cached Credentials Recon\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:* \\/list *)
```
### splunk
```
@ -58,4 +79,18 @@ level: low
```
### logpoint
```
(event_id="1" Image="*\\\\cmdkey.exe" CommandLine="* /list *")
```
### grep
```
grep -P '^(?:.*(?=.*.*\\cmdkey\\.exe)(?=.*.* /list .*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
View File

@ -60,6 +60,27 @@ level: high
### es-qs
```
(ParentCommandLine.keyword:*\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CMSTP-UAC-Bypass-via-COM-Object-Access <<EOF\n{\n "metadata": {\n "title": "CMSTP UAC Bypass via COM Object Access",\n "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects",\n "tags": [\n "attack.defense_evasion",\n "attack.privilege_escalation",\n "attack.execution",\n "attack.t1088",\n "attack.t1191",\n "attack.g0069",\n "car.2019-04-001"\n ],\n "query": "(ParentCommandLine.keyword:*\\\\\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\\\{3E5FC7F9\\\\-9A51\\\\-4367\\\\-9063\\\\-A120244FBEC7\\\\} OR *\\\\{3E000D72\\\\-A845\\\\-4CD9\\\\-BD83\\\\-80C07C3B881F\\\\}))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentCommandLine.keyword:*\\\\\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\\\{3E5FC7F9\\\\-9A51\\\\-4367\\\\-9063\\\\-A120244FBEC7\\\\} OR *\\\\{3E000D72\\\\-A845\\\\-4CD9\\\\-BD83\\\\-80C07C3B881F\\\\}))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'CMSTP UAC Bypass via COM Object Access\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n Hashes = {{_source.Hashes}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentCommandLine.keyword:*\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))
```
### splunk
```
@ -67,4 +88,18 @@ level: high
```
### logpoint
```
(event_id="1" ParentCommandLine="*\\\\DllHost.exe" ParentCommandLine IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}"])
```
### grep
```
grep -P '^(?:.*(?=.*.*\\DllHost\\.exe)(?=.*(?:.*.*\\{3E5FC7F9-9A51-4367-9063-A120244FBEC7\\}|.*.*\\{3E000D72-A845-4CD9-BD83-80C07C3B881F\\})))'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
View File

@ -3,7 +3,7 @@
| Description | Detects the use of a control panel item (.cpl) outside of the System32 folder |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1196: Control Panel Items](https://attack.mitre.org/techniques/T1196)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1196: Control Panel Items](../Triggers/T1196.md)</li></ul> |
| Severity Level | critical |
@ -51,6 +51,27 @@ falsepositives:
### es-qs
```
(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\System32\\\\* OR *%System%*))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Control-Panel-Items <<EOF\n{\n "metadata": {\n "title": "Control Panel Items",\n "description": "Detects the use of a control panel item (.cpl) outside of the System32 folder",\n "tags": [\n "attack.execution",\n "attack.t1196",\n "attack.defense_evasion"\n ],\n "query": "(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\\\\\System32\\\\\\\\* OR *%System%*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\\\\\System32\\\\\\\\* OR *%System%*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Control Panel Items\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\System32\\\\* *%System%*))))
```
### splunk
```
@ -58,4 +79,18 @@ falsepositives:
```
### logpoint
```
(event_id="1" CommandLine="*.cpl" -(CommandLine IN ["*\\\\System32\\\\*", "*%System%*"]))
```
### grep
```
grep -P '^(?:.*(?=.*.*\\.cpl)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\System32\\\\.*|.*.*%System%.*))))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
View File

@ -59,6 +59,27 @@ tags:
### es-qs
```
(Image.keyword:*\\\\rar.exe AND CommandLine.keyword:*\\ a\\ * AND CommandLine.keyword:*\\-r*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Data-Compressed <<EOF\n{\n "metadata": {\n "title": "Data Compressed",\n "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",\n "tags": [\n "attack.exfiltration",\n "attack.t1002"\n ],\n "query": "(Image.keyword:*\\\\\\\\rar.exe AND CommandLine.keyword:*\\\\ a\\\\ * AND CommandLine.keyword:*\\\\-r*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Image.keyword:*\\\\\\\\rar.exe AND CommandLine.keyword:*\\\\ a\\\\ * AND CommandLine.keyword:*\\\\-r*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Data Compressed\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n Image = {{_source.Image}}\\n CommandLine = {{_source.CommandLine}}\\n User = {{_source.User}}\\n LogonGuid = {{_source.LogonGuid}}\\n Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(Image.keyword:*\\\\rar.exe AND CommandLine.keyword:* a * AND CommandLine.keyword:*\\-r*)
```
### splunk
```
@ -66,4 +87,18 @@ tags:
```
### logpoint
```
(event_id="1" Image="*\\\\rar.exe" CommandLine="* a *" CommandLine="*-r*")
```
### grep
```
grep -P '^(?:.*(?=.*.*\\rar\\.exe)(?=.*.* a .*)(?=.*.*-r.*))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
View File

@ -59,6 +59,27 @@ level: high
### es-qs
```
(((EventID:"4662" AND Properties.keyword:(*Replicating\\ Directory\\ Changes\\ All* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window\\ Manager"))) AND (NOT (SubjectUserName.keyword:(NT\\ AUTHORITY* OR *$))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mimikatz-DC-Sync <<EOF\n{\n "metadata": {\n "title": "Mimikatz DC Sync",\n "description": "Detects Mimikatz DC sync security events",\n "tags": [\n "attack.credential_access",\n "attack.s0002",\n "attack.t1003"\n ],\n "query": "(((EventID:\\"4662\\" AND Properties.keyword:(*Replicating\\\\ Directory\\\\ Changes\\\\ All* OR *1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\\"Window\\\\ Manager\\"))) AND (NOT (SubjectUserName.keyword:(NT\\\\ AUTHORITY* OR *$))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(((EventID:\\"4662\\" AND Properties.keyword:(*Replicating\\\\ Directory\\\\ Changes\\\\ All* OR *1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\\"Window\\\\ Manager\\"))) AND (NOT (SubjectUserName.keyword:(NT\\\\ AUTHORITY* OR *$))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Mimikatz DC Sync\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(((EventID:"4662" AND Properties.keyword:(*Replicating Directory Changes All* *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window Manager"))) AND (NOT (SubjectUserName.keyword:(NT AUTHORITY* *$))))
```
### splunk
```
@ -66,4 +87,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" ((event_id="4662" Properties IN ["*Replicating Directory Changes All*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"]) -(SubjectDomainName="Window Manager")) -(SubjectUserName IN ["NT AUTHORITY*", "*$"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*(?=.*4662)(?=.*(?:.*.*Replicating Directory Changes All.*|.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*))))(?=.*(?!.*(?:.*(?=.*Window Manager))))))(?=.*(?!.*(?:.*(?=.*(?:.*NT AUTHORITY.*|.*.*\\$))))))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
View File

@ -50,6 +50,27 @@ level: high
### es-qs
```
(EventID:"4719" AND AuditPolicyChanges:"removed")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Disabling-Windows-Event-Auditing <<EOF\n{\n "metadata": {\n "title": "Disabling Windows Event Auditing",\n "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \\"Local Group Policy Object Processing\\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \\"gpedit.msc\\". Please note, that disabling \\"Local Group Policy Object Processing\\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.",\n "tags": [\n "attack.defense_evasion",\n "attack.t1054"\n ],\n "query": "(EventID:\\"4719\\" AND AuditPolicyChanges:\\"removed\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"4719\\" AND AuditPolicyChanges:\\"removed\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Disabling Windows Event Auditing\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4719" AND AuditPolicyChanges:"removed")
```
### splunk
```
@ -57,4 +78,18 @@ level: high
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="4719" AuditPolicyChanges="removed")
```
### grep
```
grep -P '^(?:.*(?=.*4719)(?=.*removed))'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
View File

@ -49,6 +49,27 @@ level: critical
### es-qs
```
CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Encoded-FromBase64String <<EOF\n{\n "metadata": {\n "title": "Encoded FromBase64String",\n "description": "Detects a base64 encoded FromBase64String keyword in a process command line",\n "tags": [\n "attack.t1086",\n "attack.t1140",\n "attack.execution",\n "attack.defense_evasion"\n ],\n "query": "CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Encoded FromBase64String\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* *o6RnJvbUJhc2U2NFN0cmluZ* *6OkZyb21CYXNlNjRTdHJpbm*)
```
### splunk
```
@ -56,4 +77,18 @@ level: critical
```
### logpoint
```
(event_id="1" CommandLine IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*", "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"])
```
### grep
```
grep -P '^(?:.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*.*o6RnJvbUJhc2U2NFN0cmluZ.*|.*.*6OkZyb21CYXNlNjRTdHJpbm.*)'
```

35
Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
View File

@ -52,6 +52,27 @@ level: critical
### es-qs
```
CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Encoded-IEX <<EOF\n{\n "metadata": {\n "title": "Encoded IEX",\n "description": "Detects a base64 encoded IEX command string in a process command line",\n "tags": [\n "attack.t1086",\n "attack.t1140",\n "attack.execution"\n ],\n "query": "CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Encoded IEX\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
CommandLine.keyword:(*SUVYIChb* *lFWCAoW* *JRVggKF* *aWV4IChb* *lleCAoW* *pZXggKF* *aWV4IChOZX* *lleCAoTmV3* *pZXggKE5ld* *SUVYIChOZX* *lFWCAoTmV3* *JRVggKE5ld*)
```
### splunk
```
@ -59,4 +80,18 @@ level: critical
```
### logpoint
```
(event_id="1" CommandLine IN ["*SUVYIChb*", "*lFWCAoW*", "*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*", "*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*", "*JRVggKE5ld*"])
```
### grep
```
grep -P '^(?:.*.*SUVYIChb.*|.*.*lFWCAoW.*|.*.*JRVggKF.*|.*.*aWV4IChb.*|.*.*lleCAoW.*|.*.*pZXggKF.*|.*.*aWV4IChOZX.*|.*.*lleCAoTmV3.*|.*.*pZXggKE5ld.*|.*.*SUVYIChOZX.*|.*.*lFWCAoTmV3.*|.*.*JRVggKE5ld.*)'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
View File

@ -3,7 +3,7 @@
| Description | Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul> |
| Severity Level | high |
@ -52,6 +52,27 @@ detection:
### es-qs
```
(CommandLine.keyword:*\\ cl\\ *\\/Trace* OR CommandLine.keyword:*\\ clear\\-log\\ *\\/Trace* OR CommandLine.keyword:*\\ sl*\\ \\/e\\:false* OR CommandLine.keyword:*\\ set\\-log*\\ \\/e\\:false*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Disable-of-ETW-Trace <<EOF\n{\n "metadata": {\n "title": "Disable of ETW Trace",\n "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.",\n "tags": [\n "attack.execution",\n "attack.t1070",\n "car.2016-04-002"\n ],\n "query": "(CommandLine.keyword:*\\\\ cl\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ sl*\\\\ \\\\/e\\\\:false* OR CommandLine.keyword:*\\\\ set\\\\-log*\\\\ \\\\/e\\\\:false*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(CommandLine.keyword:*\\\\ cl\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ sl*\\\\ \\\\/e\\\\:false* OR CommandLine.keyword:*\\\\ set\\\\-log*\\\\ \\\\/e\\\\:false*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Disable of ETW Trace\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(CommandLine.keyword:* cl *\\/Trace* OR CommandLine.keyword:* clear\\-log *\\/Trace* OR CommandLine.keyword:* sl* \\/e\\:false* OR CommandLine.keyword:* set\\-log* \\/e\\:false*)
```
### splunk
```
@ -59,4 +80,18 @@ detection:
```
### logpoint
```
(event_id="1" (CommandLine="* cl */Trace*" OR CommandLine="* clear-log */Trace*" OR CommandLine="* sl* /e:false*" OR CommandLine="* set-log* /e:false*"))
```
### grep
```
grep -P '^(?:.*(?:.*.* cl .*/Trace.*|.*.* clear-log .*/Trace.*|.*.* sl.* /e:false.*|.*.* set-log.* /e:false.*))'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
View File

@ -3,7 +3,7 @@
| Description | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | critical |
@ -48,6 +48,27 @@ level: critical
### es-qs
```
(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\MicroScMgmt.exe\\ )
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploit-for-CVE-2015-1641 <<EOF\n{\n "metadata": {\n "title": "Exploit for CVE-2015-1641",\n "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641",\n "tags": [\n "attack.defense_evasion",\n "attack.t1036"\n ],\n "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\MicroScMgmt.exe\\\\ )"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\MicroScMgmt.exe\\\\ )",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Exploit for CVE-2015-1641\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\MicroScMgmt.exe )
```
### splunk
```
@ -55,4 +76,18 @@ level: critical
```
### logpoint
```
(event_id="1" ParentImage="*\\\\WINWORD.EXE" Image="*\\\\MicroScMgmt.exe ")
```
### grep
```
grep -P '^(?:.*(?=.*.*\\WINWORD\\.EXE)(?=.*.*\\MicroScMgmt\\.exe ))'
```

37
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
View File

@ -3,7 +3,7 @@
| Description | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | medium |
@ -48,6 +48,27 @@ level: medium
### es-qs
```
(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\FLTLDR.exe*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploit-for-CVE-2017-0261 <<EOF\n{\n "metadata": {\n "title": "Exploit for CVE-2017-0261",\n "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262",\n "tags": [\n "attack.defense_evasion",\n "attack.privilege_escalation",\n "attack.t1055"\n ],\n "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\FLTLDR.exe*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\FLTLDR.exe*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Exploit for CVE-2017-0261\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\FLTLDR.exe*)
```
### splunk
```
@ -55,4 +76,18 @@ level: medium
```
### logpoint
```
(event_id="1" ParentImage="*\\\\WINWORD.EXE" Image="*\\\\FLTLDR.exe*")
```
### grep
```
grep -P '^(?:.*(?=.*.*\\WINWORD\\.EXE)(?=.*.*\\FLTLDR\\.exe.*))'
```

Some files were not shown because too many files have changed in this diff Show More