valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 01:25:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Makefile updated, yamls2csv changed to work with customer entities, md files and analytics regenerated

Browse Source
This commit is contained in:
Wydra Mateusz 2019-03-27 02:22:01 +01:00
parent b40c75fb17
commit f4006e03bc
444 changed files with 31837 additions and 685 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md Normal file
View File

@ -0,0 +1,57 @@
| Title | DN_0001_4688_windows_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, not including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>NewProcessName</li><li>TokenElevationType</li><li>ProcessId</li><li>ProcessPid</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>ProcessName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md Normal file
View File

@ -0,0 +1,58 @@
| Title | DN_0002_4688_windows_process_creation_with_commandline |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>ProcessId</li><li>NewProcessName</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>TokenElevationType</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>ParentImage</li><li>MandatoryLabel</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>
```

59
Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md Normal file
View File

@ -0,0 +1,59 @@
| Title | DN_0003_1_windows_sysmon_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>UtcTime</li><li>Username</li><li>User</li><li>ProcessGuid</li><li>ProcessId</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:08:22.025812200Z" />
<EventRecordID>9947</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:08:22.025</Data>
<Data Name="ProcessGuid">{A23EAE89-BD56-5903-0000-0010E9D95E00}</Data>
<Data Name="ProcessId">6228</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
<Data Name="CommandLine">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8</Data>
<Data Name="CurrentDirectory">C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\</Data>
<Data Name="User">LAB\rsmith</Data>
<Data Name="LogonGuid">{A23EAE89-B357-5903-0000-002005EB0700}</Data>
<Data Name="LogonId">0x7eb05</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=AAE83ECC4ABEE2E7567E2FF76B2B046C65336731,MD5=283BDCD7B83EEE614897619332E5B938,SHA256=17DD017B7E7D1DC835CDF5E57156A0FF508EBBC7F4A48E65D77E026C33FCB58E,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F</Data>
<Data Name="ParentProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
<Data Name="ParentProcessId">13220</Data>
<Data Name="ParentImage">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
<Data Name="ParentCommandLine">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" </Data>
</EventData>
</Event>
```

70
Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md Normal file
View File

@ -0,0 +1,70 @@
| Title | DN_0004_4624_windows_account_logon |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An account was successfully logged on |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" />
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" />
<Execution ProcessID="716" ThreadID="760" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0005_7045_windows_service_insatalled |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A service was installed in the system |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>ProcessID</li><li>ServiceName</li><li>ImagePath</li><li>ServiceFileName</li><li>ServiceType</li><li>StartType</li><li>AccountName</li><li>UserSid</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" />
<EventRecordID>762</EventRecordID>
<Correlation />
<Execution ProcessID="568" ThreadID="1792" />
<Channel>System</Channel>
<Computer>DESKTOP</Computer>
<Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" />
</System>
- <EventData>
<Data Name="ServiceName">sshd</Data>
<Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Explicit modification of file creation timestamp by a process |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>PreviousCreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-10T15:08:56.961102400Z" />
<EventRecordID>6994</EventRecordID>
<Correlation />
<Execution ProcessID="2940" ThreadID="3576" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-10 15:08:56.954</Data>
<Data Name="ProcessGuid">{9683FBB1-8164-5C0E-0000-00104B532800}</Data>
<Data Name="ProcessId">2788</Data>
<Data Name="Image">C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe</Data>
<Data Name="TargetFilename">C:\Program Files\Wireshark\user-guide.chm</Data>
<Data Name="CreationUtcTime">2018-11-28 18:37:08.000</Data>
<Data Name="PreviousCreationUtcTime">2018-12-10 15:08:56.486</Data>
</EventData>
</Event>
```

61
Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md Normal file
View File

@ -0,0 +1,61 @@
| Title | DN_0007_3_windows_sysmon_network_connection |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | TCP/UDP connections made by a process |
| Logging Policy | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>User</li><li>Protocol</li><li>Initiated</li><li>SourceIsIpv6</li><li>SourceIp</li><li>SourceHostname</li><li>SourcePort</li><li>SourcePortName</li><li>DestinationIsIpv6</li><li>DestinationIp</li><li>DestinationHostname</li><li>DestinationPort</li><li>DestinationPortName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:29.384924000Z" />
<EventRecordID>16000</EventRecordID>
<Correlation />
<Execution ProcessID="1828" ThreadID="2764" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:17.411</Data>
<Data Name="ProcessGuid">{A96EFBF1-A8C9-5C59-0000-0010D274D300}</Data>
<Data Name="ProcessId">3900</Data>
<Data Name="Image">C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe</Data>
<Data Name="User">ATC-WIN-7\user1</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">10.0.0.111</Data>
<Data Name="SourceHostname">ATC-WIN-7.atc.local</Data>
<Data Name="SourcePort">49603</Data>
<Data Name="SourcePortName" />
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">10.0.0.103</Data>
<Data Name="DestinationHostname">ATC-WIN-10</Data>
<Data Name="DestinationPort">135</Data>
<Data Name="DestinationPortName">epmap</Data>
</EventData>
</Event>
```

47
Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md Normal file
View File

@ -0,0 +1,47 @@
| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Sysmon service changed status |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>State</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:11:20.289486200Z" />
<EventRecordID>45818</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2019-02-05 13:11:20.281</Data>
<Data Name="State">Started</Data>
<Data Name="Version">8.00</Data>
<Data Name="SchemaVersion">4.10</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0009_5_windows_sysmon_process_terminated |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Process has been terminated |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:38.833314100Z" />
<EventRecordID>57994</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:38.821</Data>
<Data Name="ProcessGuid">{9683FBB1-A8D6-5C59-0000-001009797000}</Data>
<Data Name="ProcessId">2440</Data>
<Data Name="Image">C:\Windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ImageLoaded</li><li>Hashes</li><li>Sha256hash</li><li>Md5hash</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

52
Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md Normal file
View File

@ -0,0 +1,52 @@
| Title | DN_0011_7_windows_sysmon_image_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The image loaded event logs when a module is loaded in a specific process |
| Logging Policy | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>ImageLoaded</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
<EventRecordID>16636</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
<Data Name="Image">C:\Windows\System32\notepad.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
<Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The CreateRemoteThread event detects when a process creates a thread in another process |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGuid</li><li>SourceProcessId</li><li>SourceImage</li><li>TargetProcessGuid</li><li>TargetProcessId</li><li>TargetImage</li><li>NewThreadId</li><li>StartAddress</li><li>StartModule</li><li>StartFunction</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>Device</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
<EventRecordID>1944686</EventRecordID>
<Correlation />
<Execution ProcessID="19572" ThreadID="21888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0014_10_windows_sysmon_ProcessAccess |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process |
| Logging Policy | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGUID</li><li>SourceProcessId</li><li>SourceThreadId</li><li>SourceImage</li><li>TargetProcessGUID</li><li>TargetProcessId</li><li>TargetImage</li><li>GrantedAccess</li><li>CallTrace</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T14:28:35.216091900Z" />
<EventRecordID>42444</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
<Data Name="SourceProcessId">6916</Data>
<Data Name="SourceThreadId">8080</Data>
<Data Name="SourceImage">C:\Users\user1\Desktop\mimi\x64\mimikatz.exe</Data>
<Data Name="TargetProcessGUID">{9683FBB1-9A52-5C51-0000-0010C3610000}</Data>
<Data Name="TargetProcessId">672</Data>
<Data Name="TargetImage">C:\windows\system32\lsass.exe</Data>
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0015_11_windows_sysmon_FileCreate |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection |
| Logging Policy | <ul><li>[LP_0008_windows_sysmon_FileCreate](../Logging_Policies/LP_0008_windows_sysmon_FileCreate.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T15:08:51.296611700Z" />
<EventRecordID>42528</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0016_12_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" />
<EventRecordID>42938</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0017_13_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:06:11.698273500Z" />
<EventRecordID>42943</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0018_14_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>NewName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0019_15_windows_sysmon_FileCreateStreamHash |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>Hash</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0020_17_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication |
| Logging Policy | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0021_18_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named pipe connection is made between a client and a server |
| Logging Policy | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.457379300Z" />
<EventRecordID>46620</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.455</Data>
<Data Name="ProcessGuid">{9683FBB1-8B5F-5C59-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">System</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0022_19_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>EventNamespace</li><li>Name</li><li>Query</li><li>RuleName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0023_20_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Name</li><li>Type</li><li>Destination</li><li>RuleName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0024_21_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a consumer binds to a filter, this event logs the consumer name and filter path |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Consumer</li><li>RuleName</li><li>Filter</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md Normal file
View File

@ -0,0 +1,58 @@
| Title | DN_0026_5136_windows_directory_service_object_was_modified |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A directory service object was modified |
| Logging Policy | <ul><li>[LP_0025_windows_audit_directory_service_changes](../Logging_Policies/LP_0025_windows_audit_directory_service_changes.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>OpCorrelationID</li><li>AppCorrelationID</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>DSName</li><li>DSType</li><li>ObjectDN</li><li>ObjectGUID</li><li>ObjectClass</li><li>AttributeLDAPDisplayName</li><li>AttributeSyntaxOID</li><li>AttributeValue</li><li>OperationType</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
```

69
Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md Normal file
View File

@ -0,0 +1,69 @@
| Title | DN_0027_4738_user_account_was_changed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | User object is changed |
| Logging Policy | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>TargetUserName</li><li>Hostname</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0028_4794_directory_services_restore_mode_admin_password_set |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Directory Services Restore Mode (DSRM) administrator password is changed |
| Logging Policy | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>Workstation</li><li>Status</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
```

59
Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md Normal file
View File

@ -0,0 +1,59 @@
| Title | DN_0029_4661_handle_to_an_object_was_requested |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object |
| Logging Policy | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li><li>[LP_0028_windows_audit_sam](../Logging_Policies/LP_0028_windows_audit_sam.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessMask</li><li>PrivilegeList</li><li>Properties</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>
```

57
Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md Normal file
View File

@ -0,0 +1,57 @@
| Title | DN_0030_4662_operation_was_performed_on_an_object |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An operation was performed on an Active Directory object |
| Logging Policy | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>OperationType</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>Properties</li><li>AdditionalInfo</li><li>AdditionalInfo2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
```

46
Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md Normal file
View File

@ -0,0 +1,46 @@
| Title | DN_0031_7036_service_started_stopped |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Service entered the running/stopped state |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>param1</li><li>param2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- <System>
<Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/>
<EventID Qualifiers='16384'>7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime='2019-01-12T16:00:11.920020600Z'/>
<EventRecordID>41452</EventRecordID>
<Correlation/>
<Execution ProcessID='692' ThreadID='828'/>
<Channel>System</Channel>
<Computer>EC2AMAZ-D6OFVS8</Computer>
<Security/>
</System>
- <EventData>
<Data Name='param1'>Device Install Service</Data>
<Data Name='param2'>running</Data>
<Binary>44006500760069006300650049006E007300740061006C006C002F0034000000</Binary>
</EventData>
</Event>
```

56
Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md Normal file
View File

@ -0,0 +1,56 @@
| Title | DN_0032_5145_network_share_object_was_accessed_detailed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName |
| Logging Policy | <ul><li>[LP_0029_windows_audit_detailed_file_share](../Logging_Policies/LP_0029_windows_audit_detailed_file_share.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>RelativeTargetName</li><li>AccessMask</li><li>AccessList</li><li>AccessReason</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0033_5140_network_share_object_was_accessed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Network share object (file or folder) was accessed |
| Logging Policy | <ul><li>[LP_0030_windows_audit_file_share](../Logging_Policies/LP_0030_windows_audit_file_share.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>AccessMask</li><li>AccessList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0034_104_log_file_was_cleared.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0034_104_log_file_was_cleared |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows log file was cleared |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Microsoft-Windows-Eventlog |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>Channel</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>104</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T22:31:47.796843000Z" />
<EventRecordID>7659</EventRecordID>
<Correlation />
<Execution ProcessID="752" ThreadID="1988" />
<Channel>System</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-21-3463664321-2923530833-3546627382-1000" />
</System>
- <UserData>
- <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserName>user1</SubjectUserName>
<SubjectDomainName>ATC-WIN-7.atc.local</SubjectDomainName>
<Channel>Application</Channel>
<BackupPath />
</LogFileCleared>
</UserData>
</Event>
```

45
Atomic_Threat_Coverage/Data_Needed/DN_0035_106_task_scheduler_task_registered.md Normal file
View File

@ -0,0 +1,45 @@
| Title | DN_0035_106_task_scheduler_task_registered |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | General Windows Task Registration |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-TaskScheduler/Operational |
| Provider | Microsoft-Windows-TaskScheduler |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TaskName</li><li>UserContext</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" />
<EventID>106</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>106</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T22:54:14.628673400Z" />
<EventRecordID>5</EventRecordID>
<Correlation />
<Execution ProcessID="908" ThreadID="2440" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="TaskRegisteredEvent">
<Data Name="TaskName">\atctest</Data>
<Data Name="UserContext">atc-win-10.atc.local\user1</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0036_4104_windows_powershell_script_block |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event records script |
| Logging Policy | <ul><li>[TODO](../Logging_Policies/TODO.md)</li></ul> |
| References | <ul><li>[https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-PowerShell/Operational |
| Provider | Microsoft-Windows-PowerShell |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>MessageNumber</li><li>MessageTotal</li><li>ScriptBlockText</li><li>ScriptBlockId</li><li>Path</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2019-02-05T15:05:16.554318000Z" />
<EventRecordID>75823</EventRecordID>
<Correlation ActivityID="{3655DBA0-BD54-0000-AE51-563654BDD401}" />
<Execution ProcessID="2588" ThreadID="4328" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" />
</System>
- <EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs $FilterToConsumerArgs = @{ Filter = [Ref] $Filter; Consumer = [Ref] $Consumer; } $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs</Data>
<Data Name="ScriptBlockId">414c1110-3b57-40bf-9502-e45053cce9dd</Data>
<Data Name="Path" />
</EventData>
</Event>
```

46
Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md Normal file
View File

@ -0,0 +1,46 @@
| Title | DN_0037_4103_windows_powershell_executing_pipeline |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | TODO |
| Logging Policy | <ul><li>[TODO](../Logging_Policies/TODO.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-PowerShell/Operational |
| Provider | Microsoft-Windows-PowerShell |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>ContextInfo</li><li>UserData</li><li>Payload</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
<EventID>4103</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>106</Task>
<Opcode>20</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2019-02-05T15:05:16.564146000Z" />
<EventRecordID>75824</EventRecordID>
<Correlation ActivityID="{3655DBA0-BD54-0000-AF51-563654BDD401}" />
<Execution ProcessID="2588" ThreadID="4328" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" />
</System>
- <EventData>
<Data Name="ContextInfo">Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17134.407 Host ID = 3ff2018b-ab29-4049-a62d-851e5ca931ed Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.17134.407 Runspace ID = 52c750e1-1c34-4244-a6eb-feadfd70a959 Pipeline ID = 90 Command Name = New-CimInstance Command Type = Cmdlet Script Name = Command Path = Sequence Number = 329 User = atc-win-10\user1 Connected User = Shell ID = Microsoft.PowerShell</Data>
<Data Name="UserData" />
<Data Name="Payload">CommandInvocation(New-CimInstance): "New-CimInstance" ParameterBinding(New-CimInstance): name="Namespace"; value="root/subscription" ParameterBinding(New-CimInstance): name="ClassName"; value="__EventFilter" ParameterBinding(New-CimInstance): name="Property"; value="System.Collections.Hashtable"</Data>
</EventData>
</Event>
```

41
Atomic_Threat_Coverage/Data_Needed/DN_0038_400_windows_powershell_engine_lifecycle.md Normal file
View File

@ -0,0 +1,41 @@
| Title | DN_0038_400_windows_powershell_engine_lifecycle |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | TODO |
| Logging Policy | <ul><li>[TODO](../Logging_Policies/TODO.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Windows PowerShell |
| Provider | PowerShell |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">400</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:13:04.885878700Z" />
<EventRecordID>50575</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=Windows PowerShell ISE Host HostVersion=5.1.17134.407 HostId=9478b487-c2ea-4aa8-8eb3-9b7bad25b39f HostApplication=C:\windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe EngineVersion=5.1.17134.407 RunspaceId=9f89fa00-ca26-402e-9dea-29c6d2447f7b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
```

24
Atomic_Threat_Coverage/Data_Needed/DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md Normal file
View File

@ -0,0 +1,24 @@
| Title | DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The installed server callout .dll file has caused an exception |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | System |
| Provider | Microsoft-Windows-DHCP-Server |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
TODO
```

24
Atomic_Threat_Coverage/Data_Needed/DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md Normal file
View File

@ -0,0 +1,24 @@
| Title | DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The installed server callout .dll file has caused an exception |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | System |
| Provider | Microsoft-Windows-DHCP-Server |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
TODO
```

24
Atomic_Threat_Coverage/Data_Needed/DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls.md Normal file
View File

@ -0,0 +1,24 @@
| Title | DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The DHCP service has successfully loaded one or more callout DLLs |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | System |
| Provider | Microsoft-Windows-DHCP-Server |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
TODO
```

24
Atomic_Threat_Coverage/Data_Needed/DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.md Normal file
View File

@ -0,0 +1,24 @@
| Title | DN_0049_1034_dhcp_service_failed_to_load_callout_dlls |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The DHCP service has failed to load one or more callout DLLs |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | System |
| Provider | Microsoft-Windows-DHCP-Server |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
TODO
```

64
Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md Normal file
View File

@ -0,0 +1,64 @@
| Title | DN_0004_4624_windows_account_logon |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An account failed to log on |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>Status</li><li>FailureReason</li><li>SubStatus</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```

52
Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md Normal file
View File

@ -0,0 +1,52 @@
| Title | DN_0063_4697_service_was_installed_in_the_system |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A service was installed in the system |
| Logging Policy | <ul><li>[LP_0100_windows_audit_security_system_extension](../Logging_Policies/LP_0100_windows_audit_security_system_extension.md)</li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ServiceName</li><li>ServiceFileName</li><li>ServiceType</li><li>ServiceStartType</li><li>ServiceAccount</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4697</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T01:36:11.991070500Z" />
<EventRecordID>2778</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="2800" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">atc-win-10$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ServiceName">AppHostSvc</Data>
<Data Name="ServiceFileName">%windir%\\system32\\svchost.exe -k apphost</Data>
<Data Name="ServiceType">0x20</Data>
<Data Name="ServiceStartType">2</Data>
<Data Name="ServiceAccount">localSystem</Data>
</EventData>
</Event>
```

52
Atomic_Threat_Coverage/Data_Needed/DN_0080_5859_wmi_activity.md Normal file
View File

@ -0,0 +1,52 @@
| Title | DN_0080_5859_wmi_activity |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-WMI-Activity/Operational |
| Provider | Microsoft-Windows-WMI-Activity |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>NamespaceName</li><li>Query</li><li>ProcessID</li><li>Provider</li><li>queryid</li><li>PossibleCause</li><li>CorrelationActivityID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5859</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T09:37:37.108925700Z" />
<EventRecordID>57003</EventRecordID>
<Correlation ActivityID="{10490123-32E3-0000-B1F0-46D991BFD401}" />
<Execution ProcessID="436" ThreadID="3076" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<NamespaceName>//./root/cimv2</NamespaceName>
<Query>select * from MSFT_SCMEventLogEvent</Query>
<User>S-1-5-32-544</User>
<Processid>436</Processid>
<Provider>SCM Event Provider</Provider>
<queryid>0</queryid>
<PossibleCause>Permanent</PossibleCause>
</Operation_EssStarted>
</UserData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0081_5861_wmi_activity.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0081_5861_wmi_activity |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-WMI-Activity/Operational |
| Provider | Microsoft-Windows-WMI-Activity |
| Fields | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>Namespace</li><li>ESS</li><li>Consumer</li><li>PossibleCause</li><li>CreatorSID</li><li>EventNamespace</li><li>Query</li><li>QueryLanguage</li><li>EventFilter</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5861</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:23:40.952921100Z" />
<EventRecordID>56793</EventRecordID>
<Correlation />
<Execution ProcessID="1416" ThreadID="2244" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<Namespace>//./ROOT/Subscription</Namespace>
<ESS>SCM Event Log Filter</ESS>
<CONSUMER>NTEventLogEventConsumer="SCM Event Log Consumer"</CONSUMER>
<PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; };</PossibleCause>
</Operation_ESStoConsumerBinding>
</UserData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0082_8002_ntlm_server_blocked_audit |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002 |
| Logging Policy | <ul><li>[LP_0044_windows_ntlm_audit](../Logging_Policies/LP_0044_windows_ntlm_audit.md)</li></ul> |
| References | <ul><li>[https://twitter.com/JohnLaTwC/status/1004895902010507266](https://twitter.com/JohnLaTwC/status/1004895902010507266)</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | Microsoft-Windows-NTLM/Operational |
| Provider | Microsoft-Windows-NTLM |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>CallerPID</li><li>ProcessName</li><li>ClientLUID</li><li>ClientUserName</li><li>ClientDomainName</li><li>MechanismOID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-NTLM" Guid="{AC43300D-5FCC-4800-8E99-1BD3F85F0320}" />
<EventID>8002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-03-02T23:00:00.746139000Z" />
<EventRecordID>12</EventRecordID>
<Correlation />
<Execution ProcessID="468" ThreadID="2660" />
<Channel>Microsoft-Windows-NTLM/Operational</Channel>
<Computer>dc.yugoslavskiy.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="CallerPID">4</Data>
<Data Name="ProcessName" />
<Data Name="ClientLUID">0x3e7</Data>
<Data Name="ClientUserName">DC$</Data>
<Data Name="ClientDomainName">atc</Data>
<Data Name="MechanismOID">1.3.6.1.4.1.311.2.2.10</Data>
</EventData>
</Event>
```

47
Atomic_Threat_Coverage/Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md Normal file
View File

@ -0,0 +1,47 @@
| Title | DN_0083_16_access_history_in_hive_was_cleared |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The access history in hive was cleared updating X keys and creating Y modified pages |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm](http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Microsoft-Windows-Kernel-General |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>HiveNameLength</li><li>HiveName</li><li>KeysUpdated</li><li>DirtyPages</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>16</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-01-12T03:18:59.347973200Z" />
<EventRecordID>1705</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="540" />
<Channel>System</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="HiveNameLength">31</Data>
<Data Name="HiveName">\SystemRoot\System32\Config\SAM</Data>
<Data Name="KeysUpdated">65</Data>
<Data Name="DirtyPages">7</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0084_av_alert.md Normal file
View File

@ -0,0 +1,58 @@
| Title | DN_0084_av_alert |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Anti-virus alert |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | antivirus |
| Type | None |
| Channel | None |
| Provider | None |
| Fields | <ul><li>Hostname</li><li>Signature</li><li>AlertTitle</li><li>Category</li><li>Severity</li><li>Sha1</li><li>FileName</li><li>FilePath</li><li>IpAddress</li><li>UserName</li><li>UserDomain</li><li>FileHash</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li></ul> |
## Log Samples
### Raw Log
```
{
"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Windows Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"
}
```

24
Atomic_Threat_Coverage/Data_Needed/DN_0108_150_dns_server_could_not_load_dll.md Normal file
View File

@ -0,0 +1,24 @@
| Title | DN_0036_150_dns_server_could_not_load_dll |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows DNS server could not load or initialize the plug-in DLL |
| Logging Policy | <ul><li> Not existing </li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10))</li></ul> |
| Platform | Windows |
| Type | Applications and Services Logs |
| Channel | DNS Server |
| Provider | Microsoft-Windows-DNS-Server-Service |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Computer</li></ul> |
## Log Samples
### Raw Log
```
todo
```

100
Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md Normal file
View File

@ -0,0 +1,100 @@
| Title | Antivirus Exploitation Framework Detection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a highly relevant Antivirus alert that reports an exploitation framework |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li><li>[T1219: Remote Access Tools](https://attack.mitre.org/techniques/T1219)</li></ul> |
| Data Needed | <ul><li>[DN_0084_av_alert](../Data_Needed/DN_0084_av_alert.md)</li></ul> |
| Trigger | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li><li>[T1219: Remote Access Tools](../Triggers/T1219.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Antivirus Exploitation Framework Detection
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
date: 2018/09/09
modified: 2019/01/16
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
logsource:
product: antivirus
detection:
selection:
Signature:
- "*MeteTool*"
- "*MPreter*"
- "*Meterpreter*"
- "*Metasploit*"
- "*PowerSploit*"
- "*CobaltSrike*"
- "*Swrort*"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
```
### es-qs
```
Signature.keyword:(*MeteTool* *MPreter* *Meterpreter* *Metasploit* *PowerSploit* *CobaltSrike* *Swrort*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Antivirus-Exploitation-Framework-Detection <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "Signature.keyword:(*MeteTool* *MPreter* *Meterpreter* *Metasploit* *PowerSploit* *CobaltSrike* *Swrort*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Antivirus Exploitation Framework Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature:("*MeteTool*" "*MPreter*" "*Meterpreter*" "*Metasploit*" "*PowerSploit*" "*CobaltSrike*" "*Swrort*")
```
### splunk
```
(Signature="*MeteTool*" OR Signature="*MPreter*" OR Signature="*Meterpreter*" OR Signature="*Metasploit*" OR Signature="*PowerSploit*" OR Signature="*CobaltSrike*" OR Signature="*Swrort*") | table FileName,User
```
### logpoint
```
Signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*", "*Swrort*"]
```
### grep
```
grep -P '^(?:.*.*MeteTool.*|.*.*MPreter.*|.*.*Meterpreter.*|.*.*Metasploit.*|.*.*PowerSploit.*|.*.*CobaltSrike.*|.*.*Swrort.*)'
```

96
Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md Normal file
View File

@ -0,0 +1,96 @@
| Title | Antivirus Password Dumper Detection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a highly relevant Antivirus alert that reports a password dumper |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0084_av_alert](../Data_Needed/DN_0084_av_alert.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Antivirus Password Dumper Detection
description: Detects a highly relevant Antivirus alert that reports a password dumper
date: 2018/09/09
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.credential_access
- attack.t1003
logsource:
product: antivirus
detection:
selection:
Signature:
- "*DumpCreds*"
- "*Mimikatz*"
- "*PWCrack*"
- "HTool/WCE"
- "*PSWtool*"
- "*PWDump*"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
```
### es-qs
```
Signature.keyword:(*DumpCreds* *Mimikatz* *PWCrack* HTool\\/WCE *PSWtool* *PWDump*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Antivirus-Password-Dumper-Detection <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "Signature.keyword:(*DumpCreds* *Mimikatz* *PWCrack* HTool\\\\/WCE *PSWtool* *PWDump*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Antivirus Password Dumper Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature:("*DumpCreds*" "*Mimikatz*" "*PWCrack*" "HTool\\/WCE" "*PSWtool*" "*PWDump*")
```
### splunk
```
(Signature="*DumpCreds*" OR Signature="*Mimikatz*" OR Signature="*PWCrack*" OR Signature="HTool/WCE" OR Signature="*PSWtool*" OR Signature="*PWDump*") | table FileName,User
```
### logpoint
```
Signature IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*"]
```
### grep
```
grep -P '^(?:.*.*DumpCreds.*|.*.*Mimikatz.*|.*.*PWCrack.*|.*HTool/WCE|.*.*PSWtool.*|.*.*PWDump.*)'
```

105
Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md Normal file
View File

@ -0,0 +1,105 @@
| Title | Antivirus Relevant File Paths Alerts |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects an Antivirus alert in a highly relevant file path or with a relevant file name |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0084_av_alert](../Data_Needed/DN_0084_av_alert.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | high |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Antivirus Relevant File Paths Alerts
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
logsource:
product: antivirus
detection:
selection:
FileName:
- 'C:\Windows\Temp\\*'
- 'C:\Temp\\*'
- '*\\Client\\*'
- 'C:\PerfLogs\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- '*.ps1'
- '*.vbs'
- '*.bat'
- '*.chm'
- '*.xml'
- '*.txt'
- '*.jsp'
- '*.jspx'
- '*.asp'
- '*.aspx'
- '*.php'
- '*.war'
condition: selection
fields:
- Signature
- User
falsepositives:
- Unlikely
level: high
```
### es-qs
```
FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\Temp\\\\* *\\\\Client\\\\* C\\:\\\\PerfLogs\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\* *.ps1 *.vbs *.bat *.chm *.xml *.txt *.jsp *.jspx *.asp *.aspx *.php *.war)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Antivirus-Relevant-File-Paths-Alerts <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "FileName.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* C\\\\:\\\\\\\\Temp\\\\\\\\* *\\\\\\\\Client\\\\\\\\* C\\\\:\\\\\\\\PerfLogs\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* *.ps1 *.vbs *.bat *.chm *.xml *.txt *.jsp *.jspx *.asp *.aspx *.php *.war)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Antivirus Relevant File Paths Alerts\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nSignature = {{_source.Signature}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
FileName:("C\\:\\\\Windows\\\\Temp\\\\*" "C\\:\\\\Temp\\\\*" "*\\\\Client\\\\*" "C\\:\\\\PerfLogs\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*" "*.ps1" "*.vbs" "*.bat" "*.chm" "*.xml" "*.txt" "*.jsp" "*.jspx" "*.asp" "*.aspx" "*.php" "*.war")
```
### splunk
```
(FileName="C:\\\\Windows\\\\Temp\\\\*" OR FileName="C:\\\\Temp\\\\*" OR FileName="*\\\\Client\\\\*" OR FileName="C:\\\\PerfLogs\\\\*" OR FileName="C:\\\\Users\\\\Public\\\\*" OR FileName="C:\\\\Users\\\\Default\\\\*" OR FileName="*.ps1" OR FileName="*.vbs" OR FileName="*.bat" OR FileName="*.chm" OR FileName="*.xml" OR FileName="*.txt" OR FileName="*.jsp" OR FileName="*.jspx" OR FileName="*.asp" OR FileName="*.aspx" OR FileName="*.php" OR FileName="*.war") | table Signature,User
```
### logpoint
```
FileName IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\Temp\\\\*", "*\\\\Client\\\\*", "C:\\\\PerfLogs\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "*.ps1", "*.vbs", "*.bat", "*.chm", "*.xml", "*.txt", "*.jsp", "*.jspx", "*.asp", "*.aspx", "*.php", "*.war"]
```
### grep
```
grep -P '^(?:.*C:\\Windows\\Temp\\\\.*|.*C:\\Temp\\\\.*|.*.*\\\\Client\\\\.*|.*C:\\PerfLogs\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*.*\\.ps1|.*.*\\.vbs|.*.*\\.bat|.*.*\\.chm|.*.*\\.xml|.*.*\\.txt|.*.*\\.jsp|.*.*\\.jspx|.*.*\\.asp|.*.*\\.aspx|.*.*\\.php|.*.*\\.war)'
```

97
Atomic_Threat_Coverage/Detection_Rules/av_webshell.md Normal file
View File

@ -0,0 +1,97 @@
| Title | Antivirus Web Shell Detection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a highly relevant Antivirus alert that reports a web shell |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0084_av_alert](../Data_Needed/DN_0084_av_alert.md)</li></ul> |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Antivirus Web Shell Detection
description: Detects a highly relevant Antivirus alert that reports a web shell
date: 2018/09/09
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.persistence
- attack.t1100
logsource:
product: antivirus
detection:
selection:
Signature:
- PHP/Backdoor
- JSP/Backdoor
- ASP/Backdoor
- Backdoor.PHP
- Backdoor.JSP
- Backdoor.ASP
- "*Webshell*"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
```
### es-qs
```
Signature.keyword:(PHP\\/Backdoor JSP\\/Backdoor ASP\\/Backdoor Backdoor.PHP Backdoor.JSP Backdoor.ASP *Webshell*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Antivirus-Web-Shell-Detection <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "Signature.keyword:(PHP\\\\/Backdoor JSP\\\\/Backdoor ASP\\\\/Backdoor Backdoor.PHP Backdoor.JSP Backdoor.ASP *Webshell*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Antivirus Web Shell Detection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Signature:("PHP\\/Backdoor" "JSP\\/Backdoor" "ASP\\/Backdoor" "Backdoor.PHP" "Backdoor.JSP" "Backdoor.ASP" "*Webshell*")
```
### splunk
```
(Signature="PHP/Backdoor" OR Signature="JSP/Backdoor" OR Signature="ASP/Backdoor" OR Signature="Backdoor.PHP" OR Signature="Backdoor.JSP" OR Signature="Backdoor.ASP" OR Signature="*Webshell*") | table FileName,User
```
### logpoint
```
Signature IN ["PHP/Backdoor", "JSP/Backdoor", "ASP/Backdoor", "Backdoor.PHP", "Backdoor.JSP", "Backdoor.ASP", "*Webshell*"]
```
### grep
```
grep -P '^(?:.*PHP/Backdoor|.*JSP/Backdoor|.*ASP/Backdoor|.*Backdoor\\.PHP|.*Backdoor\\.JSP|.*Backdoor\\.ASP|.*.*Webshell.*)'
```

93
Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md Normal file
View File

@ -0,0 +1,93 @@
| Title | PowerShell Downgrade Attack |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0038_400_windows_powershell_engine_lifecycle](../Data_Needed/DN_0038_400_windows_powershell_engine_lifecycle.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Penetration Test</li><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)</li></ul> |
| Author | Florian Roth (rule), Lee Holmes (idea) |
## Detection Rules
### Sigma rule
```
title: PowerShell Downgrade Attack
status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Florian Roth (rule), Lee Holmes (idea)
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
EngineVersion: '2.*'
filter:
HostVersion: '2.*'
condition: selection and not filter
falsepositives:
- Penetration Test
- Unknown
level: medium
```
### es-qs
```
((EventID:"400" AND EngineVersion.keyword:2.*) AND NOT (HostVersion.keyword:2.*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-Downgrade-Attack <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"400\\" AND EngineVersion.keyword:2.*) AND NOT (HostVersion.keyword:2.*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell Downgrade Attack\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"400" AND EngineVersion:"2.*") AND NOT (HostVersion:"2.*"))
```
### splunk
```
((EventID="400" EngineVersion="2.*") NOT (HostVersion="2.*"))
```
### logpoint
```
((EventID="400" EngineVersion="2.*") -(HostVersion="2.*"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*400)(?=.*2\\..*)))(?=.*(?!.*(?:.*(?=.*2\\..*)))))'
```

95
Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md Normal file
View File

@ -0,0 +1,95 @@
| Title | PowerShell called from an Executable Version Mismatch |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects PowerShell called from an executable by the version mismatch method |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0038_400_windows_powershell_engine_lifecycle](../Data_Needed/DN_0038_400_windows_powershell_engine_lifecycle.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration Tests</li><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul> |
| Author | Sean Metcalf (source), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: PowerShell called from an Executable Version Mismatch
status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell-classic
detection:
selection1:
EventID: 400
EngineVersion:
- '2.*'
- '4.*'
- '5.*'
HostVersion: '3.*'
condition: selection1
falsepositives:
- Penetration Tests
- Unknown
level: high
```
### es-qs
```
(EventID:"400" AND EngineVersion.keyword:(2.* 4.* 5.*) AND HostVersion.keyword:3.*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-called-from-an-Executable-Version-Mismatch <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"400\\" AND EngineVersion.keyword:(2.* 4.* 5.*) AND HostVersion.keyword:3.*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell called from an Executable Version Mismatch\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"400" AND EngineVersion:("2.*" "4.*" "5.*") AND HostVersion:"3.*")
```
### splunk
```
(EventID="400" (EngineVersion="2.*" OR EngineVersion="4.*" OR EngineVersion="5.*") HostVersion="3.*")
```
### logpoint
```
(EventID="400" EngineVersion IN ["2.*", "4.*", "5.*"] HostVersion="3.*")
```
### grep
```
grep -P '^(?:.*(?=.*400)(?=.*(?:.*2\\..*|.*4\\..*|.*5\\..*))(?=.*3\\..*))'
```

183
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md Normal file
View File

@ -0,0 +1,183 @@
| Title | Malicious PowerShell Commandlets |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration testing</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul> |
| Author | Sean Metcalf (source), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
- Invoke-Shellcode
- Invoke-WmiCommand
- Get-GPPPassword
- Get-Keystrokes
- Get-TimedScreenshot
- Get-VaultCredential
- Invoke-CredentialInjection
- Invoke-Mimikatz
- Invoke-NinjaCopy
- Invoke-TokenManipulation
- Out-Minidump
- VolumeShadowCopyTools
- Invoke-ReflectivePEInjection
- Invoke-UserHunter
- Find-GPOLocation
- Invoke-ACLScanner
- Invoke-DowngradeAccount
- Get-ServiceUnquoted
- Get-ServiceFilePermission
- Get-ServicePermission
- Invoke-ServiceAbuse
- Install-ServiceBinary
- Get-RegAutoLogon
- Get-VulnAutoRun
- Get-VulnSchTask
- Get-UnattendedInstallFile
- Get-ApplicationHost
- Get-RegAlwaysInstallElevated
- Get-Unconstrained
- Add-RegBackdoor
- Add-ScrnSaveBackdoor
- Gupt-Backdoor
- Invoke-ADSBackdoor
- Enabled-DuplicateToken
- Invoke-PsUaCme
- Remove-Update
- Check-VM
- Get-LSASecret
- Get-PassHashes
- Show-TargetScreen
- Port-Scan
- Invoke-PoshRatHttp
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Add-Exfiltration
- Add-Persistence
- Do-Exfiltration
- Start-CaptureServer
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-IndexedItem
- Get-Screenshot
- Invoke-Inveigh
- Invoke-NetRipper
- Invoke-EgressCheck
- Invoke-PostExfil
- Invoke-PSInject
- Invoke-RunAs
- MailRaider
- New-HoneyHash
- Set-MacAttribute
- Invoke-DCSync
- Invoke-PowerDump
- Exploit-Jboss
- Invoke-ThunderStruck
- Invoke-VoiceTroll
- Set-Wallpaper
- Invoke-InveighRelay
- Invoke-PsExec
- Invoke-SSHCommand
- Get-SecurityPackages
- Install-SSP
- Invoke-BackdoorLNK
- PowerBreach
- Get-SiteListPassword
- Get-System
- Invoke-BypassUAC
- Invoke-Tater
- Invoke-WScriptBypassUAC
- PowerUp
- PowerView
- Get-RickAstley
- Find-Fruit
- HTTP-Login
- Find-TrustedDocuments
- Invoke-Paranoia
- Invoke-WinEnum
- Invoke-ARPScan
- Invoke-PortScan
- Invoke-ReverseDNSLookup
- Invoke-SMBScanner
- Invoke-Mimikittenz
condition: keywords
falsepositives:
- Penetration testing
level: high
```
### es-qs
```
(Invoke\\-DllInjection OR Invoke\\-Shellcode OR Invoke\\-WmiCommand OR Get\\-GPPPassword OR Get\\-Keystrokes OR Get\\-TimedScreenshot OR Get\\-VaultCredential OR Invoke\\-CredentialInjection OR Invoke\\-Mimikatz OR Invoke\\-NinjaCopy OR Invoke\\-TokenManipulation OR Out\\-Minidump OR VolumeShadowCopyTools OR Invoke\\-ReflectivePEInjection OR Invoke\\-UserHunter OR Find\\-GPOLocation OR Invoke\\-ACLScanner OR Invoke\\-DowngradeAccount OR Get\\-ServiceUnquoted OR Get\\-ServiceFilePermission OR Get\\-ServicePermission OR Invoke\\-ServiceAbuse OR Install\\-ServiceBinary OR Get\\-RegAutoLogon OR Get\\-VulnAutoRun OR Get\\-VulnSchTask OR Get\\-UnattendedInstallFile OR Get\\-ApplicationHost OR Get\\-RegAlwaysInstallElevated OR Get\\-Unconstrained OR Add\\-RegBackdoor OR Add\\-ScrnSaveBackdoor OR Gupt\\-Backdoor OR Invoke\\-ADSBackdoor OR Enabled\\-DuplicateToken OR Invoke\\-PsUaCme OR Remove\\-Update OR Check\\-VM OR Get\\-LSASecret OR Get\\-PassHashes OR Show\\-TargetScreen OR Port\\-Scan OR Invoke\\-PoshRatHttp OR Invoke\\-PowerShellTCP OR Invoke\\-PowerShellWMI OR Add\\-Exfiltration OR Add\\-Persistence OR Do\\-Exfiltration OR Start\\-CaptureServer OR Get\\-ChromeDump OR Get\\-ClipboardContents OR Get\\-FoxDump OR Get\\-IndexedItem OR Get\\-Screenshot OR Invoke\\-Inveigh OR Invoke\\-NetRipper OR Invoke\\-EgressCheck OR Invoke\\-PostExfil OR Invoke\\-PSInject OR Invoke\\-RunAs OR MailRaider OR New\\-HoneyHash OR Set\\-MacAttribute OR Invoke\\-DCSync OR Invoke\\-PowerDump OR Exploit\\-Jboss OR Invoke\\-ThunderStruck OR Invoke\\-VoiceTroll OR Set\\-Wallpaper OR Invoke\\-InveighRelay OR Invoke\\-PsExec OR Invoke\\-SSHCommand OR Get\\-SecurityPackages OR Install\\-SSP OR Invoke\\-BackdoorLNK OR PowerBreach OR Get\\-SiteListPassword OR Get\\-System OR Invoke\\-BypassUAC OR Invoke\\-Tater OR Invoke\\-WScriptBypassUAC OR PowerUp OR PowerView OR Get\\-RickAstley OR Find\\-Fruit OR HTTP\\-Login OR Find\\-TrustedDocuments OR Invoke\\-Paranoia OR Invoke\\-WinEnum OR Invoke\\-ARPScan OR Invoke\\-PortScan OR Invoke\\-ReverseDNSLookup OR Invoke\\-SMBScanner OR Invoke\\-Mimikittenz)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malicious-PowerShell-Commandlets <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(Invoke\\\\-DllInjection OR Invoke\\\\-Shellcode OR Invoke\\\\-WmiCommand OR Get\\\\-GPPPassword OR Get\\\\-Keystrokes OR Get\\\\-TimedScreenshot OR Get\\\\-VaultCredential OR Invoke\\\\-CredentialInjection OR Invoke\\\\-Mimikatz OR Invoke\\\\-NinjaCopy OR Invoke\\\\-TokenManipulation OR Out\\\\-Minidump OR VolumeShadowCopyTools OR Invoke\\\\-ReflectivePEInjection OR Invoke\\\\-UserHunter OR Find\\\\-GPOLocation OR Invoke\\\\-ACLScanner OR Invoke\\\\-DowngradeAccount OR Get\\\\-ServiceUnquoted OR Get\\\\-ServiceFilePermission OR Get\\\\-ServicePermission OR Invoke\\\\-ServiceAbuse OR Install\\\\-ServiceBinary OR Get\\\\-RegAutoLogon OR Get\\\\-VulnAutoRun OR Get\\\\-VulnSchTask OR Get\\\\-UnattendedInstallFile OR Get\\\\-ApplicationHost OR Get\\\\-RegAlwaysInstallElevated OR Get\\\\-Unconstrained OR Add\\\\-RegBackdoor OR Add\\\\-ScrnSaveBackdoor OR Gupt\\\\-Backdoor OR Invoke\\\\-ADSBackdoor OR Enabled\\\\-DuplicateToken OR Invoke\\\\-PsUaCme OR Remove\\\\-Update OR Check\\\\-VM OR Get\\\\-LSASecret OR Get\\\\-PassHashes OR Show\\\\-TargetScreen OR Port\\\\-Scan OR Invoke\\\\-PoshRatHttp OR Invoke\\\\-PowerShellTCP OR Invoke\\\\-PowerShellWMI OR Add\\\\-Exfiltration OR Add\\\\-Persistence OR Do\\\\-Exfiltration OR Start\\\\-CaptureServer OR Get\\\\-ChromeDump OR Get\\\\-ClipboardContents OR Get\\\\-FoxDump OR Get\\\\-IndexedItem OR Get\\\\-Screenshot OR Invoke\\\\-Inveigh OR Invoke\\\\-NetRipper OR Invoke\\\\-EgressCheck OR Invoke\\\\-PostExfil OR Invoke\\\\-PSInject OR Invoke\\\\-RunAs OR MailRaider OR New\\\\-HoneyHash OR Set\\\\-MacAttribute OR Invoke\\\\-DCSync OR Invoke\\\\-PowerDump OR Exploit\\\\-Jboss OR Invoke\\\\-ThunderStruck OR Invoke\\\\-VoiceTroll OR Set\\\\-Wallpaper OR Invoke\\\\-InveighRelay OR Invoke\\\\-PsExec OR Invoke\\\\-SSHCommand OR Get\\\\-SecurityPackages OR Install\\\\-SSP OR Invoke\\\\-BackdoorLNK OR PowerBreach OR Get\\\\-SiteListPassword OR Get\\\\-System OR Invoke\\\\-BypassUAC OR Invoke\\\\-Tater OR Invoke\\\\-WScriptBypassUAC OR PowerUp OR PowerView OR Get\\\\-RickAstley OR Find\\\\-Fruit OR HTTP\\\\-Login OR Find\\\\-TrustedDocuments OR Invoke\\\\-Paranoia OR Invoke\\\\-WinEnum OR Invoke\\\\-ARPScan OR Invoke\\\\-PortScan OR Invoke\\\\-ReverseDNSLookup OR Invoke\\\\-SMBScanner OR Invoke\\\\-Mimikittenz)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malicious PowerShell Commandlets\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
("Invoke\\-DllInjection" OR "Invoke\\-Shellcode" OR "Invoke\\-WmiCommand" OR "Get\\-GPPPassword" OR "Get\\-Keystrokes" OR "Get\\-TimedScreenshot" OR "Get\\-VaultCredential" OR "Invoke\\-CredentialInjection" OR "Invoke\\-Mimikatz" OR "Invoke\\-NinjaCopy" OR "Invoke\\-TokenManipulation" OR "Out\\-Minidump" OR "VolumeShadowCopyTools" OR "Invoke\\-ReflectivePEInjection" OR "Invoke\\-UserHunter" OR "Find\\-GPOLocation" OR "Invoke\\-ACLScanner" OR "Invoke\\-DowngradeAccount" OR "Get\\-ServiceUnquoted" OR "Get\\-ServiceFilePermission" OR "Get\\-ServicePermission" OR "Invoke\\-ServiceAbuse" OR "Install\\-ServiceBinary" OR "Get\\-RegAutoLogon" OR "Get\\-VulnAutoRun" OR "Get\\-VulnSchTask" OR "Get\\-UnattendedInstallFile" OR "Get\\-ApplicationHost" OR "Get\\-RegAlwaysInstallElevated" OR "Get\\-Unconstrained" OR "Add\\-RegBackdoor" OR "Add\\-ScrnSaveBackdoor" OR "Gupt\\-Backdoor" OR "Invoke\\-ADSBackdoor" OR "Enabled\\-DuplicateToken" OR "Invoke\\-PsUaCme" OR "Remove\\-Update" OR "Check\\-VM" OR "Get\\-LSASecret" OR "Get\\-PassHashes" OR "Show\\-TargetScreen" OR "Port\\-Scan" OR "Invoke\\-PoshRatHttp" OR "Invoke\\-PowerShellTCP" OR "Invoke\\-PowerShellWMI" OR "Add\\-Exfiltration" OR "Add\\-Persistence" OR "Do\\-Exfiltration" OR "Start\\-CaptureServer" OR "Get\\-ChromeDump" OR "Get\\-ClipboardContents" OR "Get\\-FoxDump" OR "Get\\-IndexedItem" OR "Get\\-Screenshot" OR "Invoke\\-Inveigh" OR "Invoke\\-NetRipper" OR "Invoke\\-EgressCheck" OR "Invoke\\-PostExfil" OR "Invoke\\-PSInject" OR "Invoke\\-RunAs" OR "MailRaider" OR "New\\-HoneyHash" OR "Set\\-MacAttribute" OR "Invoke\\-DCSync" OR "Invoke\\-PowerDump" OR "Exploit\\-Jboss" OR "Invoke\\-ThunderStruck" OR "Invoke\\-VoiceTroll" OR "Set\\-Wallpaper" OR "Invoke\\-InveighRelay" OR "Invoke\\-PsExec" OR "Invoke\\-SSHCommand" OR "Get\\-SecurityPackages" OR "Install\\-SSP" OR "Invoke\\-BackdoorLNK" OR "PowerBreach" OR "Get\\-SiteListPassword" OR "Get\\-System" OR "Invoke\\-BypassUAC" OR "Invoke\\-Tater" OR "Invoke\\-WScriptBypassUAC" OR "PowerUp" OR "PowerView" OR "Get\\-RickAstley" OR "Find\\-Fruit" OR "HTTP\\-Login" OR "Find\\-TrustedDocuments" OR "Invoke\\-Paranoia" OR "Invoke\\-WinEnum" OR "Invoke\\-ARPScan" OR "Invoke\\-PortScan" OR "Invoke\\-ReverseDNSLookup" OR "Invoke\\-SMBScanner" OR "Invoke\\-Mimikittenz")
```
### splunk
```
("Invoke-DllInjection" OR "Invoke-Shellcode" OR "Invoke-WmiCommand" OR "Get-GPPPassword" OR "Get-Keystrokes" OR "Get-TimedScreenshot" OR "Get-VaultCredential" OR "Invoke-CredentialInjection" OR "Invoke-Mimikatz" OR "Invoke-NinjaCopy" OR "Invoke-TokenManipulation" OR "Out-Minidump" OR "VolumeShadowCopyTools" OR "Invoke-ReflectivePEInjection" OR "Invoke-UserHunter" OR "Find-GPOLocation" OR "Invoke-ACLScanner" OR "Invoke-DowngradeAccount" OR "Get-ServiceUnquoted" OR "Get-ServiceFilePermission" OR "Get-ServicePermission" OR "Invoke-ServiceAbuse" OR "Install-ServiceBinary" OR "Get-RegAutoLogon" OR "Get-VulnAutoRun" OR "Get-VulnSchTask" OR "Get-UnattendedInstallFile" OR "Get-ApplicationHost" OR "Get-RegAlwaysInstallElevated" OR "Get-Unconstrained" OR "Add-RegBackdoor" OR "Add-ScrnSaveBackdoor" OR "Gupt-Backdoor" OR "Invoke-ADSBackdoor" OR "Enabled-DuplicateToken" OR "Invoke-PsUaCme" OR "Remove-Update" OR "Check-VM" OR "Get-LSASecret" OR "Get-PassHashes" OR "Show-TargetScreen" OR "Port-Scan" OR "Invoke-PoshRatHttp" OR "Invoke-PowerShellTCP" OR "Invoke-PowerShellWMI" OR "Add-Exfiltration" OR "Add-Persistence" OR "Do-Exfiltration" OR "Start-CaptureServer" OR "Get-ChromeDump" OR "Get-ClipboardContents" OR "Get-FoxDump" OR "Get-IndexedItem" OR "Get-Screenshot" OR "Invoke-Inveigh" OR "Invoke-NetRipper" OR "Invoke-EgressCheck" OR "Invoke-PostExfil" OR "Invoke-PSInject" OR "Invoke-RunAs" OR "MailRaider" OR "New-HoneyHash" OR "Set-MacAttribute" OR "Invoke-DCSync" OR "Invoke-PowerDump" OR "Exploit-Jboss" OR "Invoke-ThunderStruck" OR "Invoke-VoiceTroll" OR "Set-Wallpaper" OR "Invoke-InveighRelay" OR "Invoke-PsExec" OR "Invoke-SSHCommand" OR "Get-SecurityPackages" OR "Install-SSP" OR "Invoke-BackdoorLNK" OR "PowerBreach" OR "Get-SiteListPassword" OR "Get-System" OR "Invoke-BypassUAC" OR "Invoke-Tater" OR "Invoke-WScriptBypassUAC" OR "PowerUp" OR "PowerView" OR "Get-RickAstley" OR "Find-Fruit" OR "HTTP-Login" OR "Find-TrustedDocuments" OR "Invoke-Paranoia" OR "Invoke-WinEnum" OR "Invoke-ARPScan" OR "Invoke-PortScan" OR "Invoke-ReverseDNSLookup" OR "Invoke-SMBScanner" OR "Invoke-Mimikittenz")
```
### logpoint
```
("Invoke-DllInjection" OR "Invoke-Shellcode" OR "Invoke-WmiCommand" OR "Get-GPPPassword" OR "Get-Keystrokes" OR "Get-TimedScreenshot" OR "Get-VaultCredential" OR "Invoke-CredentialInjection" OR "Invoke-Mimikatz" OR "Invoke-NinjaCopy" OR "Invoke-TokenManipulation" OR "Out-Minidump" OR "VolumeShadowCopyTools" OR "Invoke-ReflectivePEInjection" OR "Invoke-UserHunter" OR "Find-GPOLocation" OR "Invoke-ACLScanner" OR "Invoke-DowngradeAccount" OR "Get-ServiceUnquoted" OR "Get-ServiceFilePermission" OR "Get-ServicePermission" OR "Invoke-ServiceAbuse" OR "Install-ServiceBinary" OR "Get-RegAutoLogon" OR "Get-VulnAutoRun" OR "Get-VulnSchTask" OR "Get-UnattendedInstallFile" OR "Get-ApplicationHost" OR "Get-RegAlwaysInstallElevated" OR "Get-Unconstrained" OR "Add-RegBackdoor" OR "Add-ScrnSaveBackdoor" OR "Gupt-Backdoor" OR "Invoke-ADSBackdoor" OR "Enabled-DuplicateToken" OR "Invoke-PsUaCme" OR "Remove-Update" OR "Check-VM" OR "Get-LSASecret" OR "Get-PassHashes" OR "Show-TargetScreen" OR "Port-Scan" OR "Invoke-PoshRatHttp" OR "Invoke-PowerShellTCP" OR "Invoke-PowerShellWMI" OR "Add-Exfiltration" OR "Add-Persistence" OR "Do-Exfiltration" OR "Start-CaptureServer" OR "Get-ChromeDump" OR "Get-ClipboardContents" OR "Get-FoxDump" OR "Get-IndexedItem" OR "Get-Screenshot" OR "Invoke-Inveigh" OR "Invoke-NetRipper" OR "Invoke-EgressCheck" OR "Invoke-PostExfil" OR "Invoke-PSInject" OR "Invoke-RunAs" OR "MailRaider" OR "New-HoneyHash" OR "Set-MacAttribute" OR "Invoke-DCSync" OR "Invoke-PowerDump" OR "Exploit-Jboss" OR "Invoke-ThunderStruck" OR "Invoke-VoiceTroll" OR "Set-Wallpaper" OR "Invoke-InveighRelay" OR "Invoke-PsExec" OR "Invoke-SSHCommand" OR "Get-SecurityPackages" OR "Install-SSP" OR "Invoke-BackdoorLNK" OR "PowerBreach" OR "Get-SiteListPassword" OR "Get-System" OR "Invoke-BypassUAC" OR "Invoke-Tater" OR "Invoke-WScriptBypassUAC" OR "PowerUp" OR "PowerView" OR "Get-RickAstley" OR "Find-Fruit" OR "HTTP-Login" OR "Find-TrustedDocuments" OR "Invoke-Paranoia" OR "Invoke-WinEnum" OR "Invoke-ARPScan" OR "Invoke-PortScan" OR "Invoke-ReverseDNSLookup" OR "Invoke-SMBScanner" OR "Invoke-Mimikittenz")
```
### grep
```
grep -P '^(?:.*(?:.*Invoke-DllInjection|.*Invoke-Shellcode|.*Invoke-WmiCommand|.*Get-GPPPassword|.*Get-Keystrokes|.*Get-TimedScreenshot|.*Get-VaultCredential|.*Invoke-CredentialInjection|.*Invoke-Mimikatz|.*Invoke-NinjaCopy|.*Invoke-TokenManipulation|.*Out-Minidump|.*VolumeShadowCopyTools|.*Invoke-ReflectivePEInjection|.*Invoke-UserHunter|.*Find-GPOLocation|.*Invoke-ACLScanner|.*Invoke-DowngradeAccount|.*Get-ServiceUnquoted|.*Get-ServiceFilePermission|.*Get-ServicePermission|.*Invoke-ServiceAbuse|.*Install-ServiceBinary|.*Get-RegAutoLogon|.*Get-VulnAutoRun|.*Get-VulnSchTask|.*Get-UnattendedInstallFile|.*Get-ApplicationHost|.*Get-RegAlwaysInstallElevated|.*Get-Unconstrained|.*Add-RegBackdoor|.*Add-ScrnSaveBackdoor|.*Gupt-Backdoor|.*Invoke-ADSBackdoor|.*Enabled-DuplicateToken|.*Invoke-PsUaCme|.*Remove-Update|.*Check-VM|.*Get-LSASecret|.*Get-PassHashes|.*Show-TargetScreen|.*Port-Scan|.*Invoke-PoshRatHttp|.*Invoke-PowerShellTCP|.*Invoke-PowerShellWMI|.*Add-Exfiltration|.*Add-Persistence|.*Do-Exfiltration|.*Start-CaptureServer|.*Get-ChromeDump|.*Get-ClipboardContents|.*Get-FoxDump|.*Get-IndexedItem|.*Get-Screenshot|.*Invoke-Inveigh|.*Invoke-NetRipper|.*Invoke-EgressCheck|.*Invoke-PostExfil|.*Invoke-PSInject|.*Invoke-RunAs|.*MailRaider|.*New-HoneyHash|.*Set-MacAttribute|.*Invoke-DCSync|.*Invoke-PowerDump|.*Exploit-Jboss|.*Invoke-ThunderStruck|.*Invoke-VoiceTroll|.*Set-Wallpaper|.*Invoke-InveighRelay|.*Invoke-PsExec|.*Invoke-SSHCommand|.*Get-SecurityPackages|.*Install-SSP|.*Invoke-BackdoorLNK|.*PowerBreach|.*Get-SiteListPassword|.*Get-System|.*Invoke-BypassUAC|.*Invoke-Tater|.*Invoke-WScriptBypassUAC|.*PowerUp|.*PowerView|.*Get-RickAstley|.*Find-Fruit|.*HTTP-Login|.*Find-TrustedDocuments|.*Invoke-Paranoia|.*Invoke-WinEnum|.*Invoke-ARPScan|.*Invoke-PortScan|.*Invoke-ReverseDNSLookup|.*Invoke-SMBScanner|.*Invoke-Mimikittenz))'
```

109
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md Normal file
View File

@ -0,0 +1,109 @@
| Title | Malicious PowerShell Keywords |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects keywords from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul> |
| Author | Sean Metcalf (source), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Malicious PowerShell Keywords
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Microsoft.Win32.UnsafeNativeMethods
- ReadProcessMemory.Invoke
- SE_PRIVILEGE_ENABLED
- LSA_UNICODE_STRING
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
- TOKEN_ASSIGN_PRIMARY
- TOKEN_DUPLICATE
- TOKEN_ELEVATION
- TOKEN_IMPERSONATE
- TOKEN_INFORMATION_CLASS
- TOKEN_PRIVILEGES
- TOKEN_QUERY
- Metasploit
- Mimikatz
condition: keywords
falsepositives:
- Penetration tests
level: high
```
### es-qs
```
(AdjustTokenPrivileges OR IMAGE_NT_OPTIONAL_HDR64_MAGIC OR Microsoft.Win32.UnsafeNativeMethods OR ReadProcessMemory.Invoke OR SE_PRIVILEGE_ENABLED OR LSA_UNICODE_STRING OR MiniDumpWriteDump OR PAGE_EXECUTE_READ OR SECURITY_DELEGATION OR TOKEN_ADJUST_PRIVILEGES OR TOKEN_ALL_ACCESS OR TOKEN_ASSIGN_PRIMARY OR TOKEN_DUPLICATE OR TOKEN_ELEVATION OR TOKEN_IMPERSONATE OR TOKEN_INFORMATION_CLASS OR TOKEN_PRIVILEGES OR TOKEN_QUERY OR Metasploit OR Mimikatz)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malicious-PowerShell-Keywords <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(AdjustTokenPrivileges OR IMAGE_NT_OPTIONAL_HDR64_MAGIC OR Microsoft.Win32.UnsafeNativeMethods OR ReadProcessMemory.Invoke OR SE_PRIVILEGE_ENABLED OR LSA_UNICODE_STRING OR MiniDumpWriteDump OR PAGE_EXECUTE_READ OR SECURITY_DELEGATION OR TOKEN_ADJUST_PRIVILEGES OR TOKEN_ALL_ACCESS OR TOKEN_ASSIGN_PRIMARY OR TOKEN_DUPLICATE OR TOKEN_ELEVATION OR TOKEN_IMPERSONATE OR TOKEN_INFORMATION_CLASS OR TOKEN_PRIVILEGES OR TOKEN_QUERY OR Metasploit OR Mimikatz)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malicious PowerShell Keywords\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
("AdjustTokenPrivileges" OR "IMAGE_NT_OPTIONAL_HDR64_MAGIC" OR "Microsoft.Win32.UnsafeNativeMethods" OR "ReadProcessMemory.Invoke" OR "SE_PRIVILEGE_ENABLED" OR "LSA_UNICODE_STRING" OR "MiniDumpWriteDump" OR "PAGE_EXECUTE_READ" OR "SECURITY_DELEGATION" OR "TOKEN_ADJUST_PRIVILEGES" OR "TOKEN_ALL_ACCESS" OR "TOKEN_ASSIGN_PRIMARY" OR "TOKEN_DUPLICATE" OR "TOKEN_ELEVATION" OR "TOKEN_IMPERSONATE" OR "TOKEN_INFORMATION_CLASS" OR "TOKEN_PRIVILEGES" OR "TOKEN_QUERY" OR "Metasploit" OR "Mimikatz")
```
### splunk
```
("AdjustTokenPrivileges" OR "IMAGE_NT_OPTIONAL_HDR64_MAGIC" OR "Microsoft.Win32.UnsafeNativeMethods" OR "ReadProcessMemory.Invoke" OR "SE_PRIVILEGE_ENABLED" OR "LSA_UNICODE_STRING" OR "MiniDumpWriteDump" OR "PAGE_EXECUTE_READ" OR "SECURITY_DELEGATION" OR "TOKEN_ADJUST_PRIVILEGES" OR "TOKEN_ALL_ACCESS" OR "TOKEN_ASSIGN_PRIMARY" OR "TOKEN_DUPLICATE" OR "TOKEN_ELEVATION" OR "TOKEN_IMPERSONATE" OR "TOKEN_INFORMATION_CLASS" OR "TOKEN_PRIVILEGES" OR "TOKEN_QUERY" OR "Metasploit" OR "Mimikatz")
```
### logpoint
```
("AdjustTokenPrivileges" OR "IMAGE_NT_OPTIONAL_HDR64_MAGIC" OR "Microsoft.Win32.UnsafeNativeMethods" OR "ReadProcessMemory.Invoke" OR "SE_PRIVILEGE_ENABLED" OR "LSA_UNICODE_STRING" OR "MiniDumpWriteDump" OR "PAGE_EXECUTE_READ" OR "SECURITY_DELEGATION" OR "TOKEN_ADJUST_PRIVILEGES" OR "TOKEN_ALL_ACCESS" OR "TOKEN_ASSIGN_PRIMARY" OR "TOKEN_DUPLICATE" OR "TOKEN_ELEVATION" OR "TOKEN_IMPERSONATE" OR "TOKEN_INFORMATION_CLASS" OR "TOKEN_PRIVILEGES" OR "TOKEN_QUERY" OR "Metasploit" OR "Mimikatz")
```
### grep
```
grep -P '^(?:.*(?:.*AdjustTokenPrivileges|.*IMAGE_NT_OPTIONAL_HDR64_MAGIC|.*Microsoft\\.Win32\\.UnsafeNativeMethods|.*ReadProcessMemory\\.Invoke|.*SE_PRIVILEGE_ENABLED|.*LSA_UNICODE_STRING|.*MiniDumpWriteDump|.*PAGE_EXECUTE_READ|.*SECURITY_DELEGATION|.*TOKEN_ADJUST_PRIVILEGES|.*TOKEN_ALL_ACCESS|.*TOKEN_ASSIGN_PRIMARY|.*TOKEN_DUPLICATE|.*TOKEN_ELEVATION|.*TOKEN_IMPERSONATE|.*TOKEN_INFORMATION_CLASS|.*TOKEN_PRIVILEGES|.*TOKEN_QUERY|.*Metasploit|.*Mimikatz))'
```

91
Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md Normal file
View File

@ -0,0 +1,91 @@
| Title | NTFS Alternate Data Stream |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1096: NTFS File Attributes](../Triggers/T1096.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[http://www.powertheshell.com/ntfsstreams/](http://www.powertheshell.com/ntfsstreams/)</li></ul> |
| Author | Sami Ruohonen |
## Detection Rules
### Sigma rule
```
title: NTFS Alternate Data Stream
status: experimental
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- http://www.powertheshell.com/ntfsstreams/
tags:
- attack.defense_evasion
- attack.t1096
author: Sami Ruohonen
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keyword1:
- "set-content"
keyword2:
- "-stream"
condition: keyword1 and keyword2
falsepositives:
- unknown
level: high
```
### es-qs
```
(set\\-content AND \\-stream)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/NTFS-Alternate-Data-Stream <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(set\\\\-content AND \\\\-stream)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'NTFS Alternate Data Stream\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
("set\\-content" AND "\\-stream")
```
### splunk
```
("set-content" "-stream")
```
### logpoint
```
("set-content" "-stream")
```
### grep
```
grep -P '^(?:.*(?=.*set-content)(?=.*-stream))'
```

93
Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md Normal file
View File

@ -0,0 +1,93 @@
| Title | PowerShell Credential Prompt |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects PowerShell calling a credential prompt |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/JohnLaTwC/status/850381440629981184](https://twitter.com/JohnLaTwC/status/850381440629981184)</li><li>[https://t.co/ezOTGy1a1G](https://t.co/ezOTGy1a1G)</li></ul> |
| Author | John Lambert (idea), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: PowerShell Credential Prompt
status: experimental
description: Detects PowerShell calling a credential prompt
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
tags:
- attack.execution
- attack.credential_access
- attack.t1086
author: John Lambert (idea), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
keyword:
- 'PromptForCredential'
condition: all of them
falsepositives:
- Unknown
level: high
```
### es-qs
```
(EventID:"4104" AND "PromptForCredential")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-Credential-Prompt <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"4104\\" AND \\"PromptForCredential\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell Credential Prompt\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4104" AND "PromptForCredential")
```
### splunk
```
(EventID="4104" "PromptForCredential")
```
### logpoint
```
(EventID="4104" "PromptForCredential")
```
### grep
```
grep -P '^(?:.*(?=.*4104)(?=.*PromptForCredential))'
```

91
Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md Normal file
View File

@ -0,0 +1,91 @@
| Title | PowerShell PSAttack |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the use of PSAttack PowerShell hack tool |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Pentesters</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul> |
| Author | Sean Metcalf (source), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: PowerShell PSAttack
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection:
EventID: 4103
keyword:
- 'PS ATTACK!!!'
condition: all of them
falsepositives:
- Pentesters
level: high
```
### es-qs
```
(EventID:"4103" AND "PS\\ ATTACK\\!\\!\\!")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-PSAttack <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"4103\\" AND \\"PS\\\\ ATTACK\\\\!\\\\!\\\\!\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell PSAttack\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"4103" AND "PS ATTACK\\!\\!\\!")
```
### splunk
```
(EventID="4103" "PS ATTACK!!!")
```
### logpoint
```
(EventID="4103" "PS ATTACK!!!")
```
### grep
```
grep -P '^(?:.*(?=.*4103)(?=.*PS ATTACK!!!))'
```

97
Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md Normal file
View File

@ -0,0 +1,97 @@
| Title | PowerShell ShellCode |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects Base64 encoded Shellcode |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/cyb3rops/status/1063072865992523776](https://twitter.com/cyb3rops/status/1063072865992523776)</li></ul> |
| Author | David Ledbetter (shellcode), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: PowerShell ShellCode
status: experimental
description: Detects Base64 encoded Shellcode
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
tags:
- attack.privilege_escalation
- attack.execution
- attack.t1055
- attack.t1086
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
keyword1:
- '*AAAAYInlM*'
keyword2:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: selection and keyword1 and keyword2
falsepositives:
- Unknown
level: critical
```
### es-qs
```
((EventID:"4104" AND "*AAAAYInlM*") AND ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-ShellCode <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"4104\\" AND \\"*AAAAYInlM*\\") AND (\\"*OiCAAAAYInlM*\\" OR \\"*OiJAAAAYInlM*\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell ShellCode\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"4104" AND "*AAAAYInlM*") AND ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
```
### splunk
```
((EventID="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
```
### logpoint
```
((EventID="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*4104)(?=.*.*AAAAYInlM.*)))(?=.*(?:.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*))))'
```

87
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md Normal file
View File

@ -0,0 +1,87 @@
| Title | Suspicious PowerShell Download |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious PowerShell download command |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>PowerShell scripts that download content from the Internet</li></ul> |
| Development Status | experimental |
| References | <ul></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
tags:
- attack.execution
- attack.t1086
author: Florian Roth
logsource:
product: windows
service: powershell
detection:
keywords:
- 'System.Net.WebClient).DownloadString('
- 'system.net.webclient).downloadfile('
condition: keywords
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
```
### es-qs
```
(System.Net.WebClient\\).DownloadString\\( OR system.net.webclient\\).downloadfile\\()
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-PowerShell-Download <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(System.Net.WebClient\\\\).DownloadString\\\\( OR system.net.webclient\\\\).downloadfile\\\\()",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious PowerShell Download\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
("System.Net.WebClient\\).DownloadString\\(" OR "system.net.webclient\\).downloadfile\\(")
```
### splunk
```
("System.Net.WebClient).DownloadString(" OR "system.net.webclient).downloadfile(")
```
### logpoint
```
("System.Net.WebClient).DownloadString(" OR "system.net.webclient).downloadfile(")
```
### grep
```
grep -P '^(?:.*(?:.*System\\.Net\\.WebClient\\)\\.DownloadString\\(|.*system\\.net\\.webclient\\)\\.downloadfile\\())'
```

96
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md Normal file
View File

@ -0,0 +1,96 @@
| Title | Suspicious PowerShell Invocations - Generic |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li><li>Very special / sneaky PowerShell scripts</li></ul> |
| Development Status | experimental |
| References | <ul></ul> |
| Author | Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Suspicious PowerShell Invocations - Generic
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows
service: powershell
detection:
encoded:
- ' -enc '
- ' -EncodedCommand '
hidden:
- ' -w hidden '
- ' -window hidden '
- ' - windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
condition: all of them
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
level: high
```
### es-qs
```
((\\ \\-enc\\ OR \\ \\-EncodedCommand\\ ) AND (\\ \\-w\\ hidden\\ OR \\ \\-window\\ hidden\\ OR \\ \\-\\ windowstyle\\ hidden\\ ) AND (\\ \\-noni\\ OR \\ \\-noninteractive\\ ))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-PowerShell-Invocations---Generic <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((\\\\ \\\\-enc\\\\ OR \\\\ \\\\-EncodedCommand\\\\ ) AND (\\\\ \\\\-w\\\\ hidden\\\\ OR \\\\ \\\\-window\\\\ hidden\\\\ OR \\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ ) AND (\\\\ \\\\-noni\\\\ OR \\\\ \\\\-noninteractive\\\\ ))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Generic\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((" \\-enc " OR " \\-EncodedCommand ") AND (" \\-w hidden " OR " \\-window hidden " OR " \\- windowstyle hidden ") AND (" \\-noni " OR " \\-noninteractive "))
```
### splunk
```
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
```
### logpoint
```
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* - windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
```

91
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md Normal file
View File

@ -0,0 +1,91 @@
| Title | Suspicious PowerShell Invocations - Specific |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |
| Development Status | experimental |
| References | <ul></ul> |
| Author | Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Suspicious PowerShell Invocations - Specific
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows
service: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'
- ' -w hidden -noni -nop -c "iex(New-Object'
- ' -w hidden -ep bypass -Enc'
- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
- 'iex(New-Object Net.WebClient).Download'
condition: keywords
falsepositives:
- Penetration tests
level: high
```
### es-qs
```
(\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String OR \\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\"iex\\(New\\-Object OR \\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc OR powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run OR bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download OR iex\\(New\\-Object\\ Net.WebClient\\).Download)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-PowerShell-Invocations---Specific <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(\\\\ \\\\-nop\\\\ \\\\-w\\\\ hidden\\\\ \\\\-c\\\\ *\\\\ \\\\[Convert\\\\]\\\\:\\\\:FromBase64String OR \\\\ \\\\-w\\\\ hidden\\\\ \\\\-noni\\\\ \\\\-nop\\\\ \\\\-c\\\\ \\\\\\"iex\\\\(New\\\\-Object OR \\\\ \\\\-w\\\\ hidden\\\\ \\\\-ep\\\\ bypass\\\\ \\\\-Enc OR powershell.exe\\\\ reg\\\\ add\\\\ HKCU\\\\\\\\software\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\currentversion\\\\\\\\run OR bypass\\\\ \\\\-noprofile\\\\ \\\\-windowstyle\\\\ hidden\\\\ \\\\(new\\\\-object\\\\ system.net.webclient\\\\).download OR iex\\\\(New\\\\-Object\\\\ Net.WebClient\\\\).Download)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Specific\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(" \\-nop \\-w hidden \\-c * \\[Convert\\]\\:\\:FromBase64String" OR " \\-w hidden \\-noni \\-nop \\-c \\"iex\\(New\\-Object" OR " \\-w hidden \\-ep bypass \\-Enc" OR "powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run" OR "bypass \\-noprofile \\-windowstyle hidden \\(new\\-object system.net.webclient\\).download" OR "iex\\(New\\-Object Net.WebClient\\).Download")
```
### splunk
```
(" -nop -w hidden -c * [Convert]::FromBase64String" OR " -w hidden -noni -nop -c \\"iex(New-Object" OR " -w hidden -ep bypass -Enc" OR "powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run" OR "bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download" OR "iex(New-Object Net.WebClient).Download")
```
### logpoint
```
(" -nop -w hidden -c * [Convert]::FromBase64String" OR " -w hidden -noni -nop -c \\"iex(New-Object" OR " -w hidden -ep bypass -Enc" OR "powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run" OR "bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download" OR "iex(New-Object Net.WebClient).Download")
```
### grep
```
grep -P \'^(?:.*(?:.* -nop -w hidden -c .* \\[Convert\\]::FromBase64String|.* -w hidden -noni -nop -c "iex\\(New-Object|.* -w hidden -ep bypass -Enc|.*powershell\\.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run|.*bypass -noprofile -windowstyle hidden \\(new-object system\\.net\\.webclient\\)\\.download|.*iex\\(New-Object Net\\.WebClient\\)\\.Download))\'
```

90
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md Normal file
View File

@ -0,0 +1,90 @@
| Title | Suspicious PowerShell Keywords |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462](https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious PowerShell Keywords
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
date: 2019/02/11
author: Florian Roth
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: powershell
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- System.Reflection.Assembly.Load
condition: keywords
falsepositives:
- Penetration tests
level: high
```
### es-qs
```
System.Reflection.Assembly.Load
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-PowerShell-Keywords <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "System.Reflection.Assembly.Load",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious PowerShell Keywords\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
"System.Reflection.Assembly.Load"
```
### splunk
```
"System.Reflection.Assembly.Load"
```
### logpoint
```
"System.Reflection.Assembly.Load"
```
### grep
```
grep -P '^System\\.Reflection\\.Assembly\\.Load'
```

88
Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md Normal file
View File

@ -0,0 +1,88 @@
| Title | Suspicious XOR Encoded PowerShell Command Line |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul></ul> |
| Author | Sami Ruohonen |
## Detection Rules
### Sigma rule
```
title: Suspicious XOR Encoded PowerShell Command Line
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
date: 2018/09/05
tags:
- attack.execution
- attack.t1086
detection:
selection:
CommandLine:
- '* -bxor*'
condition: selection
falsepositives:
- unknown
level: medium
logsource:
category: process_creation
product: windows
```
### es-qs
```
CommandLine.keyword:(*\\ \\-bxor*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-XOR-Encoded-PowerShell-Command-Line <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "CommandLine.keyword:(*\\\\ \\\\-bxor*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious XOR Encoded PowerShell Command Line\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
CommandLine:("* \\-bxor*")
```
### splunk
```
(CommandLine="* -bxor*")
```
### logpoint
```
CommandLine IN ["* -bxor*"]
```
### grep
```
grep -P '^(?:.*.* -bxor.*)'
```

97
Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md Normal file
View File

@ -0,0 +1,97 @@
| Title | Executable in ADS |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul> |
| Data Needed | <ul><li>[DN_0019_15_windows_sysmon_FileCreateStreamHash](../Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md)</li></ul> |
| Trigger | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/0xrawsec/status/1002478725605273600?s=21](https://twitter.com/0xrawsec/status/1002478725605273600?s=21)</li></ul> |
| Author | Florian Roth, @0xrawsec |
| Other Tags | <ul><li>attack.s0139</li><li>attack.s0139</li></ul> |
## Detection Rules
### Sigma rule
```
title: Executable in ADS
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
author: Florian Roth, @0xrawsec
date: 2018/06/03
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
filter:
Imphash: '00000000000000000000000000000000'
condition: selection and not filter
fields:
- TargetFilename
- Image
falsepositives:
- unknown
level: critical
```
### es-qs
```
(EventID:"15" AND NOT (Imphash:"00000000000000000000000000000000"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Executable-in-ADS <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"15\\" AND NOT (Imphash:\\"00000000000000000000000000000000\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Executable in ADS\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nTargetFilename = {{_source.TargetFilename}}\\n Image = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"15" AND NOT (Imphash:"00000000000000000000000000000000"))
```
### splunk
```
(EventID="15" NOT (Imphash="00000000000000000000000000000000")) | table TargetFilename,Image
```
### logpoint
```
(EventID="15" -(Imphash="00000000000000000000000000000000"))
```
### grep
```
grep -P '^(?:.*(?=.*15)(?=.*(?!.*(?:.*(?=.*00000000000000000000000000000000)))))'
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md Normal file
View File

@ -0,0 +1,98 @@
| Title | CACTUSTORCH Remote Thread Creation |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects remote thread creation from CACTUSTORCH as described in references. |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0012_8_windows_sysmon_CreateRemoteThread](../Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/SBousseaden/status/1090588499517079552](https://twitter.com/SBousseaden/status/1090588499517079552)</li><li>[https://github.com/mdsecactivebreach/CACTUSTORCH](https://github.com/mdsecactivebreach/CACTUSTORCH)</li></ul> |
| Author | @SBousseaden (detection), Thomas Patzke (rule) |
## Detection Rules
### Sigma rule
```
title: CACTUSTORCH Remote Thread Creation
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
- https://twitter.com/SBousseaden/status/1090588499517079552
- https://github.com/mdsecactivebreach/CACTUSTORCH
status: experimental
author: "@SBousseaden (detection), Thomas Patzke (rule)"
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
SourceImage:
- '*\System32\cscript.exe'
- '*\System32\wscript.exe'
- '*\System32\mshta.exe'
- '*\winword.exe'
- '*\excel.exe'
TargetImage: '*\SysWOW64\\*'
StartModule: null
condition: selection
tags:
- attack.execution
- attack.t1055
- attack.t1064
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"8" AND SourceImage.keyword:(*\\\\System32\\\\cscript.exe *\\\\System32\\\\wscript.exe *\\\\System32\\\\mshta.exe *\\\\winword.exe *\\\\excel.exe) AND TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:StartModule)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/CACTUSTORCH-Remote-Thread-Creation <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"8\\" AND SourceImage.keyword:(*\\\\\\\\System32\\\\\\\\cscript.exe *\\\\\\\\System32\\\\\\\\wscript.exe *\\\\\\\\System32\\\\\\\\mshta.exe *\\\\\\\\winword.exe *\\\\\\\\excel.exe) AND TargetImage.keyword:*\\\\\\\\SysWOW64\\\\\\\\* AND NOT _exists_:StartModule)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'CACTUSTORCH Remote Thread Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"8" AND SourceImage:("*\\\\System32\\\\cscript.exe" "*\\\\System32\\\\wscript.exe" "*\\\\System32\\\\mshta.exe" "*\\\\winword.exe" "*\\\\excel.exe") AND TargetImage:"*\\\\SysWOW64\\\\*" AND NOT _exists_:StartModule)
```
### splunk
```
(EventID="8" (SourceImage="*\\\\System32\\\\cscript.exe" OR SourceImage="*\\\\System32\\\\wscript.exe" OR SourceImage="*\\\\System32\\\\mshta.exe" OR SourceImage="*\\\\winword.exe" OR SourceImage="*\\\\excel.exe") TargetImage="*\\\\SysWOW64\\\\*" NOT StartModule="*")
```
### logpoint
```
(EventID="8" SourceImage IN ["*\\\\System32\\\\cscript.exe", "*\\\\System32\\\\wscript.exe", "*\\\\System32\\\\mshta.exe", "*\\\\winword.exe", "*\\\\excel.exe"] TargetImage="*\\\\SysWOW64\\\\*" -StartModule=*)
```
### grep
```
```

115
Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md Normal file
View File

@ -0,0 +1,115 @@
| Title | CMSTP Execution |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate CMSTP use (unlikely in modern enterprise environments)</li></ul> |
| Development Status | stable |
| References | <ul><li>[http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/](http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/)</li></ul> |
| Author | Nik Seetharaman |
| Other Tags | <ul><li>attack.g0069</li><li>attack.g0069</li></ul> |
## Detection Rules
### Sigma rule
```
---
action: global
title: CMSTP Execution
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
- attack.defense_evasion
- attack.execution
- attack.t1191
- attack.g0069
author: Nik Seetharaman
references:
- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
detection:
condition: 1 of them
fields:
- CommandLine
- ParentCommandLine
- Details
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
---
logsource:
product: windows
service: sysmon
detection:
# Registry Object Add
selection2:
EventID: 12
TargetObject: '*\cmmgr32.exe*'
# Registry Object Value Set
selection3:
EventID: 13
TargetObject: '*\cmmgr32.exe*'
# Process Access Call Trace
selection4:
EventID: 10
CallTrace: '*cmlua.dll*'
---
logsource:
category: process_creation
product: windows
detection:
# CMSTP Spawning Child Process
selection1:
ParentImage: '*\cmstp.exe'
```
### es-qs
```
((EventID:"12" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"13" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"10" AND CallTrace.keyword:*cmlua.dll*))\nParentImage.keyword:*\\\\cmstp.exe
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/CMSTP-Execution <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"12\\" AND TargetObject.keyword:*\\\\\\\\cmmgr32.exe*) OR (EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\cmmgr32.exe*) OR (EventID:\\"10\\" AND CallTrace.keyword:*cmlua.dll*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'CMSTP Execution\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n Details = {{_source.Details}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/CMSTP-Execution-2 <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "ParentImage.keyword:*\\\\\\\\cmstp.exe",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'CMSTP Execution\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n Details = {{_source.Details}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"12" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"13" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"10" AND CallTrace:"*cmlua.dll*"))\nParentImage:"*\\\\cmstp.exe"
```
### splunk
```
((EventID="12" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="13" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="10" CallTrace="*cmlua.dll*")) | table CommandLine,ParentCommandLine,Details\nParentImage="*\\\\cmstp.exe" | table CommandLine,ParentCommandLine,Details
```
### logpoint
```
((EventID="12" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="13" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="10" CallTrace="*cmlua.dll*"))\nParentImage="*\\\\cmstp.exe"
```
### grep
```
grep -P '^(?:.*(?:.*(?:.*(?=.*12)(?=.*.*\\cmmgr32\\.exe.*))|.*(?:.*(?=.*13)(?=.*.*\\cmmgr32\\.exe.*))|.*(?:.*(?=.*10)(?=.*.*cmlua\\.dll.*))))'\ngrep -P '^.*\\cmstp\\.exe'
```

90
Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md Normal file
View File

@ -0,0 +1,90 @@
| Title | CobaltStrike Process Injection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0012_8_windows_sysmon_CreateRemoteThread](../Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li></ul> |
| Author | Olaf Hartong, Florian Roth |
## Detection Rules
### Sigma rule
```
title: CobaltStrike Process Injection
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
tags:
- attack.defense_evasion
- attack.t1055
status: experimental
author: Olaf Hartong, Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetProcessAddress: '*0B80'
condition: selection
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"8" AND TargetProcessAddress.keyword:*0B80)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/CobaltStrike-Process-Injection <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:*0B80)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'CobaltStrike Process Injection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"8" AND TargetProcessAddress:"*0B80")
```
### splunk
```
(EventID="8" TargetProcessAddress="*0B80")
```
### logpoint
```
(EventID="8" TargetProcessAddress="*0B80")
```
### grep
```
grep -P '^(?:.*(?=.*8)(?=.*.*0B80))'
```

95
Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md Normal file
View File

@ -0,0 +1,95 @@
| Title | DHCP Callout DLL installation |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li><li>[https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx](https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx)</li><li>[https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx](https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx)</li></ul> |
| Author | Dimitrios Slamaris |
## Detection Rules
### Sigma rule
```
title: DHCP Callout DLL installation
status: experimental
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
author: Dimitrios Slamaris
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1112
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\Services\DHCPServer\Parameters\CalloutDlls'
- '*\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/DHCP-Callout-DLL-installation <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\Services\\\\\\\\DHCPServer\\\\\\\\Parameters\\\\\\\\CalloutDlls *\\\\\\\\Services\\\\\\\\DHCPServer\\\\\\\\Parameters\\\\\\\\CalloutEnabled))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'DHCP Callout DLL installation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls" "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"))
```
### splunk
```
(EventID="13" (TargetObject="*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls" OR TargetObject="*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"))
```
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls", "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\Services\\DHCPServer\\Parameters\\CalloutDlls|.*.*\\Services\\DHCPServer\\Parameters\\CalloutEnabled)))'
```

107
Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md Normal file
View File

@ -0,0 +1,107 @@
| Title | DNS ServerLevelPluginDll Install |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
---
action: global
title: DNS ServerLevelPluginDll Install
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1073
detection:
condition: 1 of them
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
falsepositives:
- unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
dnsregmod:
EventID: 13
TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
---
logsource:
category: process_creation
product: windows
detection:
dnsadmin:
CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll)\nCommandLine.keyword:dnscmd.exe\\ \\/config\\ \\/serverlevelplugindll\\ *
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/DNS-ServerLevelPluginDll-Install <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\services\\\\\\\\DNS\\\\\\\\Parameters\\\\\\\\ServerLevelPluginDll)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'DNS ServerLevelPluginDll Install\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n EventID = {{_source.EventID}}\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n Image = {{_source.Image}}\\n User = {{_source.User}}\\n TargetObject = {{_source.TargetObject}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/DNS-ServerLevelPluginDll-Install-2 <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "CommandLine.keyword:dnscmd.exe\\\\ \\\\/config\\\\ \\\\/serverlevelplugindll\\\\ *",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'DNS ServerLevelPluginDll Install\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n EventID = {{_source.EventID}}\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n Image = {{_source.Image}}\\n User = {{_source.User}}\\n TargetObject = {{_source.TargetObject}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine:"dnscmd.exe \\/config \\/serverlevelplugindll *"
```
### splunk
```
(EventID="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll") | table EventID,CommandLine,ParentCommandLine,Image,User,TargetObject\nCommandLine="dnscmd.exe /config /serverlevelplugindll *" | table EventID,CommandLine,ParentCommandLine,Image,User,TargetObject
```
### logpoint
```
(EventID="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine="dnscmd.exe /config /serverlevelplugindll *"
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*.*\\services\\DNS\\Parameters\\ServerLevelPluginDll))'\ngrep -P '^dnscmd\\.exe /config /serverlevelplugindll .*'
```

90
Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md Normal file
View File

@ -0,0 +1,90 @@
| Title | Detection of SafetyKatz |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects possible SafetyKatz Behaviour |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://github.com/GhostPack/SafetyKatz](https://github.com/GhostPack/SafetyKatz)</li></ul> |
| Author | Markus Neis |
## Detection Rules
### Sigma rule
```
title: Detection of SafetyKatz
status: experimental
description: Detects possible SafetyKatz Behaviour
references:
- https://github.com/GhostPack/SafetyKatz
tags:
- attack.credential_access
- attack.t1003
author: Markus Neis
date: 2018/07/24
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename: '*\Temp\debug.bin'
condition: selection
falsepositives:
- Unknown
level: high
```
### es-qs
```
(EventID:"11" AND TargetFilename.keyword:*\\\\Temp\\\\debug.bin)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Detection-of-SafetyKatz <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\Temp\\\\\\\\debug.bin)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Detection of SafetyKatz\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"11" AND TargetFilename:"*\\\\Temp\\\\debug.bin")
```
### splunk
```
(EventID="11" TargetFilename="*\\\\Temp\\\\debug.bin")
```
### logpoint
```
(EventID="11" TargetFilename="*\\\\Temp\\\\debug.bin")
```
### grep
```
grep -P '^(?:.*(?=.*11)(?=.*.*\\Temp\\debug\\.bin))'
```

102
Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md Normal file
View File

@ -0,0 +1,102 @@
| Title | Logon Scripts (UserInitMprLogonScript) |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects creation or execution of UserInitMprLogonScript persistence method |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1037: Logon Scripts](https://attack.mitre.org/techniques/T1037)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1037: Logon Scripts](../Triggers/T1037.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>exclude legitimate logon scripts</li><li>penetration tests, red teaming</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://attack.mitre.org/techniques/T1037/](https://attack.mitre.org/techniques/T1037/)</li></ul> |
| Author | Tom Ueltschi (@c_APT_ure) |
## Detection Rules
### Sigma rule
```
title: Logon Scripts (UserInitMprLogonScript)
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
logsource:
product: windows
service: sysmon
detection:
exec_selection:
EventID: 1 # Migration to process_creation requires multipart YAML
ParentImage: '*\userinit.exe'
exec_exclusion:
Image: '*\explorer.exe'
CommandLine: '*\netlogon.bat'
create_selection:
EventID:
- 1
- 11
- 12
- 13
- 14
create_keywords:
- UserInitMprLogonScript
condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords)
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
```
### es-qs
```
(((EventID:"1" AND ParentImage.keyword:*\\\\userinit.exe) AND NOT (Image.keyword:*\\\\explorer.exe AND CommandLine.keyword:*\\\\netlogon.bat)) OR (EventID:("1" "11" "12" "13" "14") AND "UserInitMprLogonScript"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Logon-Scripts-UserInitMprLogonScript <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(((EventID:\\"1\\" AND ParentImage.keyword:*\\\\\\\\userinit.exe) AND NOT (Image.keyword:*\\\\\\\\explorer.exe AND CommandLine.keyword:*\\\\\\\\netlogon.bat)) OR (EventID:(\\"1\\" \\"11\\" \\"12\\" \\"13\\" \\"14\\") AND \\"UserInitMprLogonScript\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Logon Scripts (UserInitMprLogonScript)\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(((EventID:"1" AND ParentImage:"*\\\\userinit.exe") AND NOT (Image:"*\\\\explorer.exe" AND CommandLine:"*\\\\netlogon.bat")) OR (EventID:("1" "11" "12" "13" "14") AND "UserInitMprLogonScript"))
```
### splunk
```
(((EventID="1" ParentImage="*\\\\userinit.exe") NOT (Image="*\\\\explorer.exe" CommandLine="*\\\\netlogon.bat")) OR ((EventID="1" OR EventID="11" OR EventID="12" OR EventID="13" OR EventID="14") "UserInitMprLogonScript"))
```
### logpoint
```
(((EventID="1" ParentImage="*\\\\userinit.exe") -(Image="*\\\\explorer.exe" CommandLine="*\\\\netlogon.bat")) OR (EventID IN ["1", "11", "12", "13", "14"] "UserInitMprLogonScript"))
```
### grep
```
grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*(?=.*1)(?=.*.*\\userinit\\.exe)))(?=.*(?!.*(?:.*(?=.*.*\\explorer\\.exe)(?=.*.*\\netlogon\\.bat)))))|.*(?:.*(?=.*(?:.*1|.*11|.*12|.*13|.*14))(?=.*UserInitMprLogonScript))))'
```

109
Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md Normal file
View File

@ -0,0 +1,109 @@
| Title | Malicious Named Pipe |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the creation of a named pipe used by known APT malware |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unkown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[Various sources](Various sources)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Malicious Named Pipe
status: experimental
description: Detects the creation of a named pipe used by known APT malware
references:
- Various sources
date: 2017/11/06
author: Florian Roth
logsource:
product: windows
service: sysmon
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
- 17
- 18
PipeName:
- '\isapi_http' # Uroburos Malware Named Pipe
- '\isapi_dg' # Uroburos Malware Named Pipe
- '\isapi_dg2' # Uroburos Malware Named Pipe
- '\sdlrpc' # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
- '\ahexec' # Sofacy group malware
- '\winsession' # Wild Neutron APT malware https://goo.gl/pivRZJ
- '\lsassw' # Wild Neutron APT malware https://goo.gl/pivRZJ
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron https://goo.gl/eFoP4A
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron https://goo.gl/eFoP4A
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron https://goo.gl/eFoP4A
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
- '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
falsepositives:
- Unkown
level: critical
```
### es-qs
```
(EventID:("17" "18") AND PipeName.keyword:(\\\\isapi_http \\\\isapi_dg \\\\isapi_dg2 \\\\sdlrpc \\\\ahexec \\\\winsession \\\\lsassw \\\\46a676ab7f179e511e30dd2dc41bd388 \\\\9f81f59bc58452127884ce513865ed20 \\\\e710f28d59aa529d6792ca6ff0ca1b34 \\\\rpchlp_3 \\\\NamePipe_MoreWindows \\\\pcheap_reuse \\\\msagent_*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malicious-Named-Pipe <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:(\\"17\\" \\"18\\") AND PipeName.keyword:(\\\\\\\\isapi_http \\\\\\\\isapi_dg \\\\\\\\isapi_dg2 \\\\\\\\sdlrpc \\\\\\\\ahexec \\\\\\\\winsession \\\\\\\\lsassw \\\\\\\\46a676ab7f179e511e30dd2dc41bd388 \\\\\\\\9f81f59bc58452127884ce513865ed20 \\\\\\\\e710f28d59aa529d6792ca6ff0ca1b34 \\\\\\\\rpchlp_3 \\\\\\\\NamePipe_MoreWindows \\\\\\\\pcheap_reuse \\\\\\\\msagent_*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malicious Named Pipe\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:("17" "18") AND PipeName:("\\\\isapi_http" "\\\\isapi_dg" "\\\\isapi_dg2" "\\\\sdlrpc" "\\\\ahexec" "\\\\winsession" "\\\\lsassw" "\\\\46a676ab7f179e511e30dd2dc41bd388" "\\\\9f81f59bc58452127884ce513865ed20" "\\\\e710f28d59aa529d6792ca6ff0ca1b34" "\\\\rpchlp_3" "\\\\NamePipe_MoreWindows" "\\\\pcheap_reuse" "\\\\msagent_*"))
```
### splunk
```
((EventID="17" OR EventID="18") (PipeName="\\\\isapi_http" OR PipeName="\\\\isapi_dg" OR PipeName="\\\\isapi_dg2" OR PipeName="\\\\sdlrpc" OR PipeName="\\\\ahexec" OR PipeName="\\\\winsession" OR PipeName="\\\\lsassw" OR PipeName="\\\\46a676ab7f179e511e30dd2dc41bd388" OR PipeName="\\\\9f81f59bc58452127884ce513865ed20" OR PipeName="\\\\e710f28d59aa529d6792ca6ff0ca1b34" OR PipeName="\\\\rpchlp_3" OR PipeName="\\\\NamePipe_MoreWindows" OR PipeName="\\\\pcheap_reuse" OR PipeName="\\\\msagent_*"))
```
### logpoint
```
(EventID IN ["17", "18"] PipeName IN ["\\\\isapi_http", "\\\\isapi_dg", "\\\\isapi_dg2", "\\\\sdlrpc", "\\\\ahexec", "\\\\winsession", "\\\\lsassw", "\\\\46a676ab7f179e511e30dd2dc41bd388", "\\\\9f81f59bc58452127884ce513865ed20", "\\\\e710f28d59aa529d6792ca6ff0ca1b34", "\\\\rpchlp_3", "\\\\NamePipe_MoreWindows", "\\\\pcheap_reuse", "\\\\msagent_*"])
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*17|.*18))(?=.*(?:.*\\isapi_http|.*\\isapi_dg|.*\\isapi_dg2|.*\\sdlrpc|.*\\ahexec|.*\\winsession|.*\\lsassw|.*\\46a676ab7f179e511e30dd2dc41bd388|.*\\9f81f59bc58452127884ce513865ed20|.*\\e710f28d59aa529d6792ca6ff0ca1b34|.*\\rpchlp_3|.*\\NamePipe_MoreWindows|.*\\pcheap_reuse|.*\\msagent_.*)))'
```

165
Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md Normal file
View File

@ -0,0 +1,165 @@
| Title | Suspicious Typical Malware Back Connect Ports |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| ATT&amp;CK Tactic | <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1043: Commonly Used Port](https://attack.mitre.org/techniques/T1043)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1043: Commonly Used Port](../Triggers/T1043.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo](https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious Typical Malware Back Connect Ports
status: experimental
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 3
DestinationPort:
- '4443'
- '2448'
- '8143'
- '1777'
- '1443'
- '243'
- '65535'
- '13506'
- '3360'
- '200'
- '198'
- '49180'
- '13507'
- '6625'
- '4444'
- '4438'
- '1904'
- '13505'
- '13504'
- '12102'
- '9631'
- '5445'
- '2443'
- '777'
- '13394'
- '13145'
- '12103'
- '5552'
- '3939'
- '3675'
- '666'
- '473'
- '5649'
- '4455'
- '4433'
- '1817'
- '100'
- '65520'
- '1960'
- '1515'
- '743'
- '700'
- '14154'
- '14103'
- '14102'
- '12322'
- '10101'
- '7210'
- '4040'
- '9943'
filter1:
Image: '*\Program Files*'
filter2:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.*'
DestinationIsIpv6: 'false'
condition: selection and not ( filter1 or filter2 )
falsepositives:
- unknown
level: medium
```
### es-qs
```
((EventID:"3" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND NOT ((Image.keyword:*\\\\Program\\ Files* OR (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*) AND DestinationIsIpv6:"false"))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-Typical-Malware-Back-Connect-Ports <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"3\\" AND DestinationPort:(\\"4443\\" \\"2448\\" \\"8143\\" \\"1777\\" \\"1443\\" \\"243\\" \\"65535\\" \\"13506\\" \\"3360\\" \\"200\\" \\"198\\" \\"49180\\" \\"13507\\" \\"6625\\" \\"4444\\" \\"4438\\" \\"1904\\" \\"13505\\" \\"13504\\" \\"12102\\" \\"9631\\" \\"5445\\" \\"2443\\" \\"777\\" \\"13394\\" \\"13145\\" \\"12103\\" \\"5552\\" \\"3939\\" \\"3675\\" \\"666\\" \\"473\\" \\"5649\\" \\"4455\\" \\"4433\\" \\"1817\\" \\"100\\" \\"65520\\" \\"1960\\" \\"1515\\" \\"743\\" \\"700\\" \\"14154\\" \\"14103\\" \\"14102\\" \\"12322\\" \\"10101\\" \\"7210\\" \\"4040\\" \\"9943\\")) AND NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*) AND DestinationIsIpv6:\\"false\\"))))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious Typical Malware Back Connect Ports\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND NOT ((Image:"*\\\\Program Files*" OR (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*") AND DestinationIsIpv6:"false"))))
```
### splunk
```
((EventID="3" (DestinationPort="4443" OR DestinationPort="2448" OR DestinationPort="8143" OR DestinationPort="1777" OR DestinationPort="1443" OR DestinationPort="243" OR DestinationPort="65535" OR DestinationPort="13506" OR DestinationPort="3360" OR DestinationPort="200" OR DestinationPort="198" OR DestinationPort="49180" OR DestinationPort="13507" OR DestinationPort="6625" OR DestinationPort="4444" OR DestinationPort="4438" OR DestinationPort="1904" OR DestinationPort="13505" OR DestinationPort="13504" OR DestinationPort="12102" OR DestinationPort="9631" OR DestinationPort="5445" OR DestinationPort="2443" OR DestinationPort="777" OR DestinationPort="13394" OR DestinationPort="13145" OR DestinationPort="12103" OR DestinationPort="5552" OR DestinationPort="3939" OR DestinationPort="3675" OR DestinationPort="666" OR DestinationPort="473" OR DestinationPort="5649" OR DestinationPort="4455" OR DestinationPort="4433" OR DestinationPort="1817" OR DestinationPort="100" OR DestinationPort="65520" OR DestinationPort="1960" OR DestinationPort="1515" OR DestinationPort="743" OR DestinationPort="700" OR DestinationPort="14154" OR DestinationPort="14103" OR DestinationPort="14102" OR DestinationPort="12322" OR DestinationPort="10101" OR DestinationPort="7210" OR DestinationPort="4040" OR DestinationPort="9943")) NOT ((Image="*\\\\Program Files*" OR ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*") DestinationIsIpv6="false"))))
```
### logpoint
```
((EventID="3" DestinationPort IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"]) -((Image="*\\\\Program Files*" OR (DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"] DestinationIsIpv6="false"))))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*(?:.*4443|.*2448|.*8143|.*1777|.*1443|.*243|.*65535|.*13506|.*3360|.*200|.*198|.*49180|.*13507|.*6625|.*4444|.*4438|.*1904|.*13505|.*13504|.*12102|.*9631|.*5445|.*2443|.*777|.*13394|.*13145|.*12103|.*5552|.*3939|.*3675|.*666|.*473|.*5649|.*4455|.*4433|.*1817|.*100|.*65520|.*1960|.*1515|.*743|.*700|.*14154|.*14103|.*14102|.*12322|.*10101|.*7210|.*4040|.*9943))))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\Program Files.*|.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))(?=.*false))))))))'
```

100
Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md Normal file
View File

@ -0,0 +1,100 @@
| Title | Malware Shellcode in Verclsid Target Process |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/JohnLaTwC/status/837743453039534080](https://twitter.com/JohnLaTwC/status/837743453039534080)</li></ul> |
| Author | John Lambert (tech), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Malware Shellcode in Verclsid Target Process
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\\*'
CallTrace: '*|UNKNOWN*'
condition: selection and 1 of combination*
falsepositives:
- unknown
level: high
```
### es-qs
```
((EventID:"10" AND TargetImage.keyword:*\\\\verclsid.exe AND GrantedAccess:"0x1FFFFF") AND (CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND CallTrace.keyword:*|UNKNOWN*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malware-Shellcode-in-Verclsid-Target-Process <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"10\\" AND TargetImage.keyword:*\\\\\\\\verclsid.exe AND GrantedAccess:\\"0x1FFFFF\\") AND (CallTrace.keyword:*|UNKNOWN\\\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\\\\\Microsoft\\\\ Office\\\\\\\\* AND CallTrace.keyword:*|UNKNOWN*)))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malware Shellcode in Verclsid Target Process\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"10" AND TargetImage:"*\\\\verclsid.exe" AND GrantedAccess:"0x1FFFFF") AND (CallTrace:"*|UNKNOWN\\(*VBE7.DLL*" OR (SourceImage:"*\\\\Microsoft Office\\\\*" AND CallTrace:"*|UNKNOWN*")))
```
### splunk
```
((EventID="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
```
### logpoint
```
((EventID="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*10)(?=.*.*\\verclsid\\.exe)(?=.*0x1FFFFF)))(?=.*(?:.*(?:.*.*\\|UNKNOWN\\(.*VBE7\\.DLL.*|.*(?:.*(?=.*.*\\Microsoft Office\\\\.*)(?=.*.*\\|UNKNOWN.*))))))'
```

90
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md Normal file
View File

@ -0,0 +1,90 @@
| Title | Mimikatz Detection LSASS Access |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow)</li></ul> |
| Author | |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li></ul> |
## Detection Rules
### Sigma rule
```
title: Mimikatz Detection LSASS Access
status: experimental
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1410'
condition: selection
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1410")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Mimikatz-Detection-LSASS-Access <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"10\\" AND TargetImage:\\"C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\lsass.exe\\" AND GrantedAccess:\\"0x1410\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Mimikatz Detection LSASS Access\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1410")
```
### splunk
```
(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1410")
```
### logpoint
```
(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1410")
```
### grep
```
grep -P '^(?:.*(?=.*10)(?=.*C:\\windows\\system32\\lsass\\.exe)(?=.*0x1410))'
```

107
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md Normal file
View File

@ -0,0 +1,107 @@
| Title | Mimikatz In-Memory |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects certain DLL loads when Mimikatz gets executed |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/](https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/)</li></ul> |
| Author | |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li></ul> |
## Detection Rules
### Sigma rule
```
title: Mimikatz In-Memory
status: experimental
description: Detects certain DLL loads when Mimikatz gets executed
references:
- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
logsource:
product: windows
service: sysmon
detection:
selector:
EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
dllload1:
ImageLoaded: '*\vaultcli.dll'
dllload2:
ImageLoaded: '*\wlanapi.dll'
exclusion:
ImageLoaded:
- 'ntdsapi.dll'
- 'netapi32.dll'
- 'imm32.dll'
- 'samlib.dll'
- 'combase.dll'
- 'srvcli.dll'
- 'shcore.dll'
- 'ntasn1.dll'
- 'cryptdll.dll'
- 'logoncli.dll'
timeframe: 30s
condition: selector | near dllload1 and dllload2 and not exclusion
falsepositives:
- unknown
level: medium
```
### es-qs
```
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Mimikatz-In-Memory <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30s"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"7\\" AND Image:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Mimikatz In-Memory\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
```
### splunk
```
```
### logpoint
```
```
### grep
```
grep -P '^(?:.*(?=.*7)(?=.*C:\\Windows\\System32\\rundll32\\.exe))'
```

91
Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md Normal file
View File

@ -0,0 +1,91 @@
| Title | Password Dumper Remote Thread in LSASS |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0012_8_windows_sysmon_CreateRemoteThread](../Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | stable |
| References | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm)</li></ul> |
| Author | Thomas Patzke |
| Other Tags | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> |
## Detection Rules
### Sigma rule
```
title: Password Dumper Remote Thread in LSASS
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule: null
condition: selection
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"8" AND TargetImage:"C\\:\\\\Windows\\\\System32\\\\lsass.exe" AND NOT _exists_:StartModule)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Password-Dumper-Remote-Thread-in-LSASS <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"8\\" AND TargetImage:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\" AND NOT _exists_:StartModule)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Password Dumper Remote Thread in LSASS\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"8" AND TargetImage:"C\\:\\\\Windows\\\\System32\\\\lsass.exe" AND NOT _exists_:StartModule)
```
### splunk
```
(EventID="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" NOT StartModule="*")
```
### logpoint
```
(EventID="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" -StartModule=*)
```
### grep
```
```

186
Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md Normal file
View File

@ -0,0 +1,186 @@
| Title | Malicious PowerShell Commandlet Names |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the creation of known powershell scripts for exploitation |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration Tests</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml](https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml)</li></ul> |
| Author | Markus Neis |
## Detection Rules
### Sigma rule
```
title: Malicious PowerShell Commandlet Names
status: experimental
description: Detects the creation of known powershell scripts for exploitation
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
tags:
- attack.execution
- attack.t1086
author: Markus Neis
date: 2018/04/07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
- '*\Get-GPPPassword.ps1'
- '*\Get-Keystrokes.ps1'
- '*\Get-VaultCredential.ps1'
- '*\Invoke-CredentialInjection.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Invoke-NinjaCopy.ps1'
- '*\Invoke-TokenManipulation.ps1'
- '*\Out-Minidump.ps1'
- '*\VolumeShadowCopyTools.ps1'
- '*\Invoke-ReflectivePEInjection.ps1'
- '*\Get-TimedScreenshot.ps1'
- '*\Invoke-UserHunter.ps1'
- '*\Find-GPOLocation.ps1'
- '*\Invoke-ACLScanner.ps1'
- '*\Invoke-DowngradeAccount.ps1'
- '*\Get-ServiceUnquoted.ps1'
- '*\Get-ServiceFilePermission.ps1'
- '*\Get-ServicePermission.ps1'
- '*\Invoke-ServiceAbuse.ps1'
- '*\Install-ServiceBinary.ps1'
- '*\Get-RegAutoLogon.ps1'
- '*\Get-VulnAutoRun.ps1'
- '*\Get-VulnSchTask.ps1'
- '*\Get-UnattendedInstallFile.ps1'
- '*\Get-WebConfig.ps1'
- '*\Get-ApplicationHost.ps1'
- '*\Get-RegAlwaysInstallElevated.ps1'
- '*\Get-Unconstrained.ps1'
- '*\Add-RegBackdoor.ps1'
- '*\Add-ScrnSaveBackdoor.ps1'
- '*\Gupt-Backdoor.ps1'
- '*\Invoke-ADSBackdoor.ps1'
- '*\Enabled-DuplicateToken.ps1'
- '*\Invoke-PsUaCme.ps1'
- '*\Remove-Update.ps1'
- '*\Check-VM.ps1'
- '*\Get-LSASecret.ps1'
- '*\Get-PassHashes.ps1'
- '*\Show-TargetScreen.ps1'
- '*\Port-Scan.ps1'
- '*\Invoke-PoshRatHttp.ps1'
- '*\Invoke-PowerShellTCP.ps1'
- '*\Invoke-PowerShellWMI.ps1'
- '*\Add-Exfiltration.ps1'
- '*\Add-Persistence.ps1'
- '*\Do-Exfiltration.ps1'
- '*\Start-CaptureServer.ps1'
- '*\Invoke-ShellCode.ps1'
- '*\Get-ChromeDump.ps1'
- '*\Get-ClipboardContents.ps1'
- '*\Get-FoxDump.ps1'
- '*\Get-IndexedItem.ps1'
- '*\Get-Screenshot.ps1'
- '*\Invoke-Inveigh.ps1'
- '*\Invoke-NetRipper.ps1'
- '*\Invoke-EgressCheck.ps1'
- '*\Invoke-PostExfil.ps1'
- '*\Invoke-PSInject.ps1'
- '*\Invoke-RunAs.ps1'
- '*\MailRaider.ps1'
- '*\New-HoneyHash.ps1'
- '*\Set-MacAttribute.ps1'
- '*\Invoke-DCSync.ps1'
- '*\Invoke-PowerDump.ps1'
- '*\Exploit-Jboss.ps1'
- '*\Invoke-ThunderStruck.ps1'
- '*\Invoke-VoiceTroll.ps1'
- '*\Set-Wallpaper.ps1'
- '*\Invoke-InveighRelay.ps1'
- '*\Invoke-PsExec.ps1'
- '*\Invoke-SSHCommand.ps1'
- '*\Get-SecurityPackages.ps1'
- '*\Install-SSP.ps1'
- '*\Invoke-BackdoorLNK.ps1'
- '*\PowerBreach.ps1'
- '*\Get-SiteListPassword.ps1'
- '*\Get-System.ps1'
- '*\Invoke-BypassUAC.ps1'
- '*\Invoke-Tater.ps1'
- '*\Invoke-WScriptBypassUAC.ps1'
- '*\PowerUp.ps1'
- '*\PowerView.ps1'
- '*\Get-RickAstley.ps1'
- '*\Find-Fruit.ps1'
- '*\HTTP-Login.ps1'
- '*\Find-TrustedDocuments.ps1'
- '*\Invoke-Paranoia.ps1'
- '*\Invoke-WinEnum.ps1'
- '*\Invoke-ARPScan.ps1'
- '*\Invoke-PortScan.ps1'
- '*\Invoke-ReverseDNSLookup.ps1'
- '*\Invoke-SMBScanner.ps1'
- '*\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
level: high
```
### es-qs
```
(EventID:"11" AND TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 *\\\\Invoke\\-WmiCommand.ps1 *\\\\Get\\-GPPPassword.ps1 *\\\\Get\\-Keystrokes.ps1 *\\\\Get\\-VaultCredential.ps1 *\\\\Invoke\\-CredentialInjection.ps1 *\\\\Invoke\\-Mimikatz.ps1 *\\\\Invoke\\-NinjaCopy.ps1 *\\\\Invoke\\-TokenManipulation.ps1 *\\\\Out\\-Minidump.ps1 *\\\\VolumeShadowCopyTools.ps1 *\\\\Invoke\\-ReflectivePEInjection.ps1 *\\\\Get\\-TimedScreenshot.ps1 *\\\\Invoke\\-UserHunter.ps1 *\\\\Find\\-GPOLocation.ps1 *\\\\Invoke\\-ACLScanner.ps1 *\\\\Invoke\\-DowngradeAccount.ps1 *\\\\Get\\-ServiceUnquoted.ps1 *\\\\Get\\-ServiceFilePermission.ps1 *\\\\Get\\-ServicePermission.ps1 *\\\\Invoke\\-ServiceAbuse.ps1 *\\\\Install\\-ServiceBinary.ps1 *\\\\Get\\-RegAutoLogon.ps1 *\\\\Get\\-VulnAutoRun.ps1 *\\\\Get\\-VulnSchTask.ps1 *\\\\Get\\-UnattendedInstallFile.ps1 *\\\\Get\\-WebConfig.ps1 *\\\\Get\\-ApplicationHost.ps1 *\\\\Get\\-RegAlwaysInstallElevated.ps1 *\\\\Get\\-Unconstrained.ps1 *\\\\Add\\-RegBackdoor.ps1 *\\\\Add\\-ScrnSaveBackdoor.ps1 *\\\\Gupt\\-Backdoor.ps1 *\\\\Invoke\\-ADSBackdoor.ps1 *\\\\Enabled\\-DuplicateToken.ps1 *\\\\Invoke\\-PsUaCme.ps1 *\\\\Remove\\-Update.ps1 *\\\\Check\\-VM.ps1 *\\\\Get\\-LSASecret.ps1 *\\\\Get\\-PassHashes.ps1 *\\\\Show\\-TargetScreen.ps1 *\\\\Port\\-Scan.ps1 *\\\\Invoke\\-PoshRatHttp.ps1 *\\\\Invoke\\-PowerShellTCP.ps1 *\\\\Invoke\\-PowerShellWMI.ps1 *\\\\Add\\-Exfiltration.ps1 *\\\\Add\\-Persistence.ps1 *\\\\Do\\-Exfiltration.ps1 *\\\\Start\\-CaptureServer.ps1 *\\\\Invoke\\-ShellCode.ps1 *\\\\Get\\-ChromeDump.ps1 *\\\\Get\\-ClipboardContents.ps1 *\\\\Get\\-FoxDump.ps1 *\\\\Get\\-IndexedItem.ps1 *\\\\Get\\-Screenshot.ps1 *\\\\Invoke\\-Inveigh.ps1 *\\\\Invoke\\-NetRipper.ps1 *\\\\Invoke\\-EgressCheck.ps1 *\\\\Invoke\\-PostExfil.ps1 *\\\\Invoke\\-PSInject.ps1 *\\\\Invoke\\-RunAs.ps1 *\\\\MailRaider.ps1 *\\\\New\\-HoneyHash.ps1 *\\\\Set\\-MacAttribute.ps1 *\\\\Invoke\\-DCSync.ps1 *\\\\Invoke\\-PowerDump.ps1 *\\\\Exploit\\-Jboss.ps1 *\\\\Invoke\\-ThunderStruck.ps1 *\\\\Invoke\\-VoiceTroll.ps1 *\\\\Set\\-Wallpaper.ps1 *\\\\Invoke\\-InveighRelay.ps1 *\\\\Invoke\\-PsExec.ps1 *\\\\Invoke\\-SSHCommand.ps1 *\\\\Get\\-SecurityPackages.ps1 *\\\\Install\\-SSP.ps1 *\\\\Invoke\\-BackdoorLNK.ps1 *\\\\PowerBreach.ps1 *\\\\Get\\-SiteListPassword.ps1 *\\\\Get\\-System.ps1 *\\\\Invoke\\-BypassUAC.ps1 *\\\\Invoke\\-Tater.ps1 *\\\\Invoke\\-WScriptBypassUAC.ps1 *\\\\PowerUp.ps1 *\\\\PowerView.ps1 *\\\\Get\\-RickAstley.ps1 *\\\\Find\\-Fruit.ps1 *\\\\HTTP\\-Login.ps1 *\\\\Find\\-TrustedDocuments.ps1 *\\\\Invoke\\-Paranoia.ps1 *\\\\Invoke\\-WinEnum.ps1 *\\\\Invoke\\-ARPScan.ps1 *\\\\Invoke\\-PortScan.ps1 *\\\\Invoke\\-ReverseDNSLookup.ps1 *\\\\Invoke\\-SMBScanner.ps1 *\\\\Invoke\\-Mimikittenz.ps1))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malicious-PowerShell-Commandlet-Names <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:(*\\\\\\\\Invoke\\\\-DllInjection.ps1 *\\\\\\\\Invoke\\\\-WmiCommand.ps1 *\\\\\\\\Get\\\\-GPPPassword.ps1 *\\\\\\\\Get\\\\-Keystrokes.ps1 *\\\\\\\\Get\\\\-VaultCredential.ps1 *\\\\\\\\Invoke\\\\-CredentialInjection.ps1 *\\\\\\\\Invoke\\\\-Mimikatz.ps1 *\\\\\\\\Invoke\\\\-NinjaCopy.ps1 *\\\\\\\\Invoke\\\\-TokenManipulation.ps1 *\\\\\\\\Out\\\\-Minidump.ps1 *\\\\\\\\VolumeShadowCopyTools.ps1 *\\\\\\\\Invoke\\\\-ReflectivePEInjection.ps1 *\\\\\\\\Get\\\\-TimedScreenshot.ps1 *\\\\\\\\Invoke\\\\-UserHunter.ps1 *\\\\\\\\Find\\\\-GPOLocation.ps1 *\\\\\\\\Invoke\\\\-ACLScanner.ps1 *\\\\\\\\Invoke\\\\-DowngradeAccount.ps1 *\\\\\\\\Get\\\\-ServiceUnquoted.ps1 *\\\\\\\\Get\\\\-ServiceFilePermission.ps1 *\\\\\\\\Get\\\\-ServicePermission.ps1 *\\\\\\\\Invoke\\\\-ServiceAbuse.ps1 *\\\\\\\\Install\\\\-ServiceBinary.ps1 *\\\\\\\\Get\\\\-RegAutoLogon.ps1 *\\\\\\\\Get\\\\-VulnAutoRun.ps1 *\\\\\\\\Get\\\\-VulnSchTask.ps1 *\\\\\\\\Get\\\\-UnattendedInstallFile.ps1 *\\\\\\\\Get\\\\-WebConfig.ps1 *\\\\\\\\Get\\\\-ApplicationHost.ps1 *\\\\\\\\Get\\\\-RegAlwaysInstallElevated.ps1 *\\\\\\\\Get\\\\-Unconstrained.ps1 *\\\\\\\\Add\\\\-RegBackdoor.ps1 *\\\\\\\\Add\\\\-ScrnSaveBackdoor.ps1 *\\\\\\\\Gupt\\\\-Backdoor.ps1 *\\\\\\\\Invoke\\\\-ADSBackdoor.ps1 *\\\\\\\\Enabled\\\\-DuplicateToken.ps1 *\\\\\\\\Invoke\\\\-PsUaCme.ps1 *\\\\\\\\Remove\\\\-Update.ps1 *\\\\\\\\Check\\\\-VM.ps1 *\\\\\\\\Get\\\\-LSASecret.ps1 *\\\\\\\\Get\\\\-PassHashes.ps1 *\\\\\\\\Show\\\\-TargetScreen.ps1 *\\\\\\\\Port\\\\-Scan.ps1 *\\\\\\\\Invoke\\\\-PoshRatHttp.ps1 *\\\\\\\\Invoke\\\\-PowerShellTCP.ps1 *\\\\\\\\Invoke\\\\-PowerShellWMI.ps1 *\\\\\\\\Add\\\\-Exfiltration.ps1 *\\\\\\\\Add\\\\-Persistence.ps1 *\\\\\\\\Do\\\\-Exfiltration.ps1 *\\\\\\\\Start\\\\-CaptureServer.ps1 *\\\\\\\\Invoke\\\\-ShellCode.ps1 *\\\\\\\\Get\\\\-ChromeDump.ps1 *\\\\\\\\Get\\\\-ClipboardContents.ps1 *\\\\\\\\Get\\\\-FoxDump.ps1 *\\\\\\\\Get\\\\-IndexedItem.ps1 *\\\\\\\\Get\\\\-Screenshot.ps1 *\\\\\\\\Invoke\\\\-Inveigh.ps1 *\\\\\\\\Invoke\\\\-NetRipper.ps1 *\\\\\\\\Invoke\\\\-EgressCheck.ps1 *\\\\\\\\Invoke\\\\-PostExfil.ps1 *\\\\\\\\Invoke\\\\-PSInject.ps1 *\\\\\\\\Invoke\\\\-RunAs.ps1 *\\\\\\\\MailRaider.ps1 *\\\\\\\\New\\\\-HoneyHash.ps1 *\\\\\\\\Set\\\\-MacAttribute.ps1 *\\\\\\\\Invoke\\\\-DCSync.ps1 *\\\\\\\\Invoke\\\\-PowerDump.ps1 *\\\\\\\\Exploit\\\\-Jboss.ps1 *\\\\\\\\Invoke\\\\-ThunderStruck.ps1 *\\\\\\\\Invoke\\\\-VoiceTroll.ps1 *\\\\\\\\Set\\\\-Wallpaper.ps1 *\\\\\\\\Invoke\\\\-InveighRelay.ps1 *\\\\\\\\Invoke\\\\-PsExec.ps1 *\\\\\\\\Invoke\\\\-SSHCommand.ps1 *\\\\\\\\Get\\\\-SecurityPackages.ps1 *\\\\\\\\Install\\\\-SSP.ps1 *\\\\\\\\Invoke\\\\-BackdoorLNK.ps1 *\\\\\\\\PowerBreach.ps1 *\\\\\\\\Get\\\\-SiteListPassword.ps1 *\\\\\\\\Get\\\\-System.ps1 *\\\\\\\\Invoke\\\\-BypassUAC.ps1 *\\\\\\\\Invoke\\\\-Tater.ps1 *\\\\\\\\Invoke\\\\-WScriptBypassUAC.ps1 *\\\\\\\\PowerUp.ps1 *\\\\\\\\PowerView.ps1 *\\\\\\\\Get\\\\-RickAstley.ps1 *\\\\\\\\Find\\\\-Fruit.ps1 *\\\\\\\\HTTP\\\\-Login.ps1 *\\\\\\\\Find\\\\-TrustedDocuments.ps1 *\\\\\\\\Invoke\\\\-Paranoia.ps1 *\\\\\\\\Invoke\\\\-WinEnum.ps1 *\\\\\\\\Invoke\\\\-ARPScan.ps1 *\\\\\\\\Invoke\\\\-PortScan.ps1 *\\\\\\\\Invoke\\\\-ReverseDNSLookup.ps1 *\\\\\\\\Invoke\\\\-SMBScanner.ps1 *\\\\\\\\Invoke\\\\-Mimikittenz.ps1))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malicious PowerShell Commandlet Names\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"11" AND TargetFilename:("*\\\\Invoke\\-DllInjection.ps1" "*\\\\Invoke\\-WmiCommand.ps1" "*\\\\Get\\-GPPPassword.ps1" "*\\\\Get\\-Keystrokes.ps1" "*\\\\Get\\-VaultCredential.ps1" "*\\\\Invoke\\-CredentialInjection.ps1" "*\\\\Invoke\\-Mimikatz.ps1" "*\\\\Invoke\\-NinjaCopy.ps1" "*\\\\Invoke\\-TokenManipulation.ps1" "*\\\\Out\\-Minidump.ps1" "*\\\\VolumeShadowCopyTools.ps1" "*\\\\Invoke\\-ReflectivePEInjection.ps1" "*\\\\Get\\-TimedScreenshot.ps1" "*\\\\Invoke\\-UserHunter.ps1" "*\\\\Find\\-GPOLocation.ps1" "*\\\\Invoke\\-ACLScanner.ps1" "*\\\\Invoke\\-DowngradeAccount.ps1" "*\\\\Get\\-ServiceUnquoted.ps1" "*\\\\Get\\-ServiceFilePermission.ps1" "*\\\\Get\\-ServicePermission.ps1" "*\\\\Invoke\\-ServiceAbuse.ps1" "*\\\\Install\\-ServiceBinary.ps1" "*\\\\Get\\-RegAutoLogon.ps1" "*\\\\Get\\-VulnAutoRun.ps1" "*\\\\Get\\-VulnSchTask.ps1" "*\\\\Get\\-UnattendedInstallFile.ps1" "*\\\\Get\\-WebConfig.ps1" "*\\\\Get\\-ApplicationHost.ps1" "*\\\\Get\\-RegAlwaysInstallElevated.ps1" "*\\\\Get\\-Unconstrained.ps1" "*\\\\Add\\-RegBackdoor.ps1" "*\\\\Add\\-ScrnSaveBackdoor.ps1" "*\\\\Gupt\\-Backdoor.ps1" "*\\\\Invoke\\-ADSBackdoor.ps1" "*\\\\Enabled\\-DuplicateToken.ps1" "*\\\\Invoke\\-PsUaCme.ps1" "*\\\\Remove\\-Update.ps1" "*\\\\Check\\-VM.ps1" "*\\\\Get\\-LSASecret.ps1" "*\\\\Get\\-PassHashes.ps1" "*\\\\Show\\-TargetScreen.ps1" "*\\\\Port\\-Scan.ps1" "*\\\\Invoke\\-PoshRatHttp.ps1" "*\\\\Invoke\\-PowerShellTCP.ps1" "*\\\\Invoke\\-PowerShellWMI.ps1" "*\\\\Add\\-Exfiltration.ps1" "*\\\\Add\\-Persistence.ps1" "*\\\\Do\\-Exfiltration.ps1" "*\\\\Start\\-CaptureServer.ps1" "*\\\\Invoke\\-ShellCode.ps1" "*\\\\Get\\-ChromeDump.ps1" "*\\\\Get\\-ClipboardContents.ps1" "*\\\\Get\\-FoxDump.ps1" "*\\\\Get\\-IndexedItem.ps1" "*\\\\Get\\-Screenshot.ps1" "*\\\\Invoke\\-Inveigh.ps1" "*\\\\Invoke\\-NetRipper.ps1" "*\\\\Invoke\\-EgressCheck.ps1" "*\\\\Invoke\\-PostExfil.ps1" "*\\\\Invoke\\-PSInject.ps1" "*\\\\Invoke\\-RunAs.ps1" "*\\\\MailRaider.ps1" "*\\\\New\\-HoneyHash.ps1" "*\\\\Set\\-MacAttribute.ps1" "*\\\\Invoke\\-DCSync.ps1" "*\\\\Invoke\\-PowerDump.ps1" "*\\\\Exploit\\-Jboss.ps1" "*\\\\Invoke\\-ThunderStruck.ps1" "*\\\\Invoke\\-VoiceTroll.ps1" "*\\\\Set\\-Wallpaper.ps1" "*\\\\Invoke\\-InveighRelay.ps1" "*\\\\Invoke\\-PsExec.ps1" "*\\\\Invoke\\-SSHCommand.ps1" "*\\\\Get\\-SecurityPackages.ps1" "*\\\\Install\\-SSP.ps1" "*\\\\Invoke\\-BackdoorLNK.ps1" "*\\\\PowerBreach.ps1" "*\\\\Get\\-SiteListPassword.ps1" "*\\\\Get\\-System.ps1" "*\\\\Invoke\\-BypassUAC.ps1" "*\\\\Invoke\\-Tater.ps1" "*\\\\Invoke\\-WScriptBypassUAC.ps1" "*\\\\PowerUp.ps1" "*\\\\PowerView.ps1" "*\\\\Get\\-RickAstley.ps1" "*\\\\Find\\-Fruit.ps1" "*\\\\HTTP\\-Login.ps1" "*\\\\Find\\-TrustedDocuments.ps1" "*\\\\Invoke\\-Paranoia.ps1" "*\\\\Invoke\\-WinEnum.ps1" "*\\\\Invoke\\-ARPScan.ps1" "*\\\\Invoke\\-PortScan.ps1" "*\\\\Invoke\\-ReverseDNSLookup.ps1" "*\\\\Invoke\\-SMBScanner.ps1" "*\\\\Invoke\\-Mimikittenz.ps1"))
```
### splunk
```
(EventID="11" (TargetFilename="*\\\\Invoke-DllInjection.ps1" OR TargetFilename="*\\\\Invoke-WmiCommand.ps1" OR TargetFilename="*\\\\Get-GPPPassword.ps1" OR TargetFilename="*\\\\Get-Keystrokes.ps1" OR TargetFilename="*\\\\Get-VaultCredential.ps1" OR TargetFilename="*\\\\Invoke-CredentialInjection.ps1" OR TargetFilename="*\\\\Invoke-Mimikatz.ps1" OR TargetFilename="*\\\\Invoke-NinjaCopy.ps1" OR TargetFilename="*\\\\Invoke-TokenManipulation.ps1" OR TargetFilename="*\\\\Out-Minidump.ps1" OR TargetFilename="*\\\\VolumeShadowCopyTools.ps1" OR TargetFilename="*\\\\Invoke-ReflectivePEInjection.ps1" OR TargetFilename="*\\\\Get-TimedScreenshot.ps1" OR TargetFilename="*\\\\Invoke-UserHunter.ps1" OR TargetFilename="*\\\\Find-GPOLocation.ps1" OR TargetFilename="*\\\\Invoke-ACLScanner.ps1" OR TargetFilename="*\\\\Invoke-DowngradeAccount.ps1" OR TargetFilename="*\\\\Get-ServiceUnquoted.ps1" OR TargetFilename="*\\\\Get-ServiceFilePermission.ps1" OR TargetFilename="*\\\\Get-ServicePermission.ps1" OR TargetFilename="*\\\\Invoke-ServiceAbuse.ps1" OR TargetFilename="*\\\\Install-ServiceBinary.ps1" OR TargetFilename="*\\\\Get-RegAutoLogon.ps1" OR TargetFilename="*\\\\Get-VulnAutoRun.ps1" OR TargetFilename="*\\\\Get-VulnSchTask.ps1" OR TargetFilename="*\\\\Get-UnattendedInstallFile.ps1" OR TargetFilename="*\\\\Get-WebConfig.ps1" OR TargetFilename="*\\\\Get-ApplicationHost.ps1" OR TargetFilename="*\\\\Get-RegAlwaysInstallElevated.ps1" OR TargetFilename="*\\\\Get-Unconstrained.ps1" OR TargetFilename="*\\\\Add-RegBackdoor.ps1" OR TargetFilename="*\\\\Add-ScrnSaveBackdoor.ps1" OR TargetFilename="*\\\\Gupt-Backdoor.ps1" OR TargetFilename="*\\\\Invoke-ADSBackdoor.ps1" OR TargetFilename="*\\\\Enabled-DuplicateToken.ps1" OR TargetFilename="*\\\\Invoke-PsUaCme.ps1" OR TargetFilename="*\\\\Remove-Update.ps1" OR TargetFilename="*\\\\Check-VM.ps1" OR TargetFilename="*\\\\Get-LSASecret.ps1" OR TargetFilename="*\\\\Get-PassHashes.ps1" OR TargetFilename="*\\\\Show-TargetScreen.ps1" OR TargetFilename="*\\\\Port-Scan.ps1" OR TargetFilename="*\\\\Invoke-PoshRatHttp.ps1" OR TargetFilename="*\\\\Invoke-PowerShellTCP.ps1" OR TargetFilename="*\\\\Invoke-PowerShellWMI.ps1" OR TargetFilename="*\\\\Add-Exfiltration.ps1" OR TargetFilename="*\\\\Add-Persistence.ps1" OR TargetFilename="*\\\\Do-Exfiltration.ps1" OR TargetFilename="*\\\\Start-CaptureServer.ps1" OR TargetFilename="*\\\\Invoke-ShellCode.ps1" OR TargetFilename="*\\\\Get-ChromeDump.ps1" OR TargetFilename="*\\\\Get-ClipboardContents.ps1" OR TargetFilename="*\\\\Get-FoxDump.ps1" OR TargetFilename="*\\\\Get-IndexedItem.ps1" OR TargetFilename="*\\\\Get-Screenshot.ps1" OR TargetFilename="*\\\\Invoke-Inveigh.ps1" OR TargetFilename="*\\\\Invoke-NetRipper.ps1" OR TargetFilename="*\\\\Invoke-EgressCheck.ps1" OR TargetFilename="*\\\\Invoke-PostExfil.ps1" OR TargetFilename="*\\\\Invoke-PSInject.ps1" OR TargetFilename="*\\\\Invoke-RunAs.ps1" OR TargetFilename="*\\\\MailRaider.ps1" OR TargetFilename="*\\\\New-HoneyHash.ps1" OR TargetFilename="*\\\\Set-MacAttribute.ps1" OR TargetFilename="*\\\\Invoke-DCSync.ps1" OR TargetFilename="*\\\\Invoke-PowerDump.ps1" OR TargetFilename="*\\\\Exploit-Jboss.ps1" OR TargetFilename="*\\\\Invoke-ThunderStruck.ps1" OR TargetFilename="*\\\\Invoke-VoiceTroll.ps1" OR TargetFilename="*\\\\Set-Wallpaper.ps1" OR TargetFilename="*\\\\Invoke-InveighRelay.ps1" OR TargetFilename="*\\\\Invoke-PsExec.ps1" OR TargetFilename="*\\\\Invoke-SSHCommand.ps1" OR TargetFilename="*\\\\Get-SecurityPackages.ps1" OR TargetFilename="*\\\\Install-SSP.ps1" OR TargetFilename="*\\\\Invoke-BackdoorLNK.ps1" OR TargetFilename="*\\\\PowerBreach.ps1" OR TargetFilename="*\\\\Get-SiteListPassword.ps1" OR TargetFilename="*\\\\Get-System.ps1" OR TargetFilename="*\\\\Invoke-BypassUAC.ps1" OR TargetFilename="*\\\\Invoke-Tater.ps1" OR TargetFilename="*\\\\Invoke-WScriptBypassUAC.ps1" OR TargetFilename="*\\\\PowerUp.ps1" OR TargetFilename="*\\\\PowerView.ps1" OR TargetFilename="*\\\\Get-RickAstley.ps1" OR TargetFilename="*\\\\Find-Fruit.ps1" OR TargetFilename="*\\\\HTTP-Login.ps1" OR TargetFilename="*\\\\Find-TrustedDocuments.ps1" OR TargetFilename="*\\\\Invoke-Paranoia.ps1" OR TargetFilename="*\\\\Invoke-WinEnum.ps1" OR TargetFilename="*\\\\Invoke-ARPScan.ps1" OR TargetFilename="*\\\\Invoke-PortScan.ps1" OR TargetFilename="*\\\\Invoke-ReverseDNSLookup.ps1" OR TargetFilename="*\\\\Invoke-SMBScanner.ps1" OR TargetFilename="*\\\\Invoke-Mimikittenz.ps1"))
```
### logpoint
```
(EventID="11" TargetFilename IN ["*\\\\Invoke-DllInjection.ps1", "*\\\\Invoke-WmiCommand.ps1", "*\\\\Get-GPPPassword.ps1", "*\\\\Get-Keystrokes.ps1", "*\\\\Get-VaultCredential.ps1", "*\\\\Invoke-CredentialInjection.ps1", "*\\\\Invoke-Mimikatz.ps1", "*\\\\Invoke-NinjaCopy.ps1", "*\\\\Invoke-TokenManipulation.ps1", "*\\\\Out-Minidump.ps1", "*\\\\VolumeShadowCopyTools.ps1", "*\\\\Invoke-ReflectivePEInjection.ps1", "*\\\\Get-TimedScreenshot.ps1", "*\\\\Invoke-UserHunter.ps1", "*\\\\Find-GPOLocation.ps1", "*\\\\Invoke-ACLScanner.ps1", "*\\\\Invoke-DowngradeAccount.ps1", "*\\\\Get-ServiceUnquoted.ps1", "*\\\\Get-ServiceFilePermission.ps1", "*\\\\Get-ServicePermission.ps1", "*\\\\Invoke-ServiceAbuse.ps1", "*\\\\Install-ServiceBinary.ps1", "*\\\\Get-RegAutoLogon.ps1", "*\\\\Get-VulnAutoRun.ps1", "*\\\\Get-VulnSchTask.ps1", "*\\\\Get-UnattendedInstallFile.ps1", "*\\\\Get-WebConfig.ps1", "*\\\\Get-ApplicationHost.ps1", "*\\\\Get-RegAlwaysInstallElevated.ps1", "*\\\\Get-Unconstrained.ps1", "*\\\\Add-RegBackdoor.ps1", "*\\\\Add-ScrnSaveBackdoor.ps1", "*\\\\Gupt-Backdoor.ps1", "*\\\\Invoke-ADSBackdoor.ps1", "*\\\\Enabled-DuplicateToken.ps1", "*\\\\Invoke-PsUaCme.ps1", "*\\\\Remove-Update.ps1", "*\\\\Check-VM.ps1", "*\\\\Get-LSASecret.ps1", "*\\\\Get-PassHashes.ps1", "*\\\\Show-TargetScreen.ps1", "*\\\\Port-Scan.ps1", "*\\\\Invoke-PoshRatHttp.ps1", "*\\\\Invoke-PowerShellTCP.ps1", "*\\\\Invoke-PowerShellWMI.ps1", "*\\\\Add-Exfiltration.ps1", "*\\\\Add-Persistence.ps1", "*\\\\Do-Exfiltration.ps1", "*\\\\Start-CaptureServer.ps1", "*\\\\Invoke-ShellCode.ps1", "*\\\\Get-ChromeDump.ps1", "*\\\\Get-ClipboardContents.ps1", "*\\\\Get-FoxDump.ps1", "*\\\\Get-IndexedItem.ps1", "*\\\\Get-Screenshot.ps1", "*\\\\Invoke-Inveigh.ps1", "*\\\\Invoke-NetRipper.ps1", "*\\\\Invoke-EgressCheck.ps1", "*\\\\Invoke-PostExfil.ps1", "*\\\\Invoke-PSInject.ps1", "*\\\\Invoke-RunAs.ps1", "*\\\\MailRaider.ps1", "*\\\\New-HoneyHash.ps1", "*\\\\Set-MacAttribute.ps1", "*\\\\Invoke-DCSync.ps1", "*\\\\Invoke-PowerDump.ps1", "*\\\\Exploit-Jboss.ps1", "*\\\\Invoke-ThunderStruck.ps1", "*\\\\Invoke-VoiceTroll.ps1", "*\\\\Set-Wallpaper.ps1", "*\\\\Invoke-InveighRelay.ps1", "*\\\\Invoke-PsExec.ps1", "*\\\\Invoke-SSHCommand.ps1", "*\\\\Get-SecurityPackages.ps1", "*\\\\Install-SSP.ps1", "*\\\\Invoke-BackdoorLNK.ps1", "*\\\\PowerBreach.ps1", "*\\\\Get-SiteListPassword.ps1", "*\\\\Get-System.ps1", "*\\\\Invoke-BypassUAC.ps1", "*\\\\Invoke-Tater.ps1", "*\\\\Invoke-WScriptBypassUAC.ps1", "*\\\\PowerUp.ps1", "*\\\\PowerView.ps1", "*\\\\Get-RickAstley.ps1", "*\\\\Find-Fruit.ps1", "*\\\\HTTP-Login.ps1", "*\\\\Find-TrustedDocuments.ps1", "*\\\\Invoke-Paranoia.ps1", "*\\\\Invoke-WinEnum.ps1", "*\\\\Invoke-ARPScan.ps1", "*\\\\Invoke-PortScan.ps1", "*\\\\Invoke-ReverseDNSLookup.ps1", "*\\\\Invoke-SMBScanner.ps1", "*\\\\Invoke-Mimikittenz.ps1"])
```
### grep
```
grep -P '^(?:.*(?=.*11)(?=.*(?:.*.*\\Invoke-DllInjection\\.ps1|.*.*\\Invoke-WmiCommand\\.ps1|.*.*\\Get-GPPPassword\\.ps1|.*.*\\Get-Keystrokes\\.ps1|.*.*\\Get-VaultCredential\\.ps1|.*.*\\Invoke-CredentialInjection\\.ps1|.*.*\\Invoke-Mimikatz\\.ps1|.*.*\\Invoke-NinjaCopy\\.ps1|.*.*\\Invoke-TokenManipulation\\.ps1|.*.*\\Out-Minidump\\.ps1|.*.*\\VolumeShadowCopyTools\\.ps1|.*.*\\Invoke-ReflectivePEInjection\\.ps1|.*.*\\Get-TimedScreenshot\\.ps1|.*.*\\Invoke-UserHunter\\.ps1|.*.*\\Find-GPOLocation\\.ps1|.*.*\\Invoke-ACLScanner\\.ps1|.*.*\\Invoke-DowngradeAccount\\.ps1|.*.*\\Get-ServiceUnquoted\\.ps1|.*.*\\Get-ServiceFilePermission\\.ps1|.*.*\\Get-ServicePermission\\.ps1|.*.*\\Invoke-ServiceAbuse\\.ps1|.*.*\\Install-ServiceBinary\\.ps1|.*.*\\Get-RegAutoLogon\\.ps1|.*.*\\Get-VulnAutoRun\\.ps1|.*.*\\Get-VulnSchTask\\.ps1|.*.*\\Get-UnattendedInstallFile\\.ps1|.*.*\\Get-WebConfig\\.ps1|.*.*\\Get-ApplicationHost\\.ps1|.*.*\\Get-RegAlwaysInstallElevated\\.ps1|.*.*\\Get-Unconstrained\\.ps1|.*.*\\Add-RegBackdoor\\.ps1|.*.*\\Add-ScrnSaveBackdoor\\.ps1|.*.*\\Gupt-Backdoor\\.ps1|.*.*\\Invoke-ADSBackdoor\\.ps1|.*.*\\Enabled-DuplicateToken\\.ps1|.*.*\\Invoke-PsUaCme\\.ps1|.*.*\\Remove-Update\\.ps1|.*.*\\Check-VM\\.ps1|.*.*\\Get-LSASecret\\.ps1|.*.*\\Get-PassHashes\\.ps1|.*.*\\Show-TargetScreen\\.ps1|.*.*\\Port-Scan\\.ps1|.*.*\\Invoke-PoshRatHttp\\.ps1|.*.*\\Invoke-PowerShellTCP\\.ps1|.*.*\\Invoke-PowerShellWMI\\.ps1|.*.*\\Add-Exfiltration\\.ps1|.*.*\\Add-Persistence\\.ps1|.*.*\\Do-Exfiltration\\.ps1|.*.*\\Start-CaptureServer\\.ps1|.*.*\\Invoke-ShellCode\\.ps1|.*.*\\Get-ChromeDump\\.ps1|.*.*\\Get-ClipboardContents\\.ps1|.*.*\\Get-FoxDump\\.ps1|.*.*\\Get-IndexedItem\\.ps1|.*.*\\Get-Screenshot\\.ps1|.*.*\\Invoke-Inveigh\\.ps1|.*.*\\Invoke-NetRipper\\.ps1|.*.*\\Invoke-EgressCheck\\.ps1|.*.*\\Invoke-PostExfil\\.ps1|.*.*\\Invoke-PSInject\\.ps1|.*.*\\Invoke-RunAs\\.ps1|.*.*\\MailRaider\\.ps1|.*.*\\New-HoneyHash\\.ps1|.*.*\\Set-MacAttribute\\.ps1|.*.*\\Invoke-DCSync\\.ps1|.*.*\\Invoke-PowerDump\\.ps1|.*.*\\Exploit-Jboss\\.ps1|.*.*\\Invoke-ThunderStruck\\.ps1|.*.*\\Invoke-VoiceTroll\\.ps1|.*.*\\Set-Wallpaper\\.ps1|.*.*\\Invoke-InveighRelay\\.ps1|.*.*\\Invoke-PsExec\\.ps1|.*.*\\Invoke-SSHCommand\\.ps1|.*.*\\Get-SecurityPackages\\.ps1|.*.*\\Install-SSP\\.ps1|.*.*\\Invoke-BackdoorLNK\\.ps1|.*.*\\PowerBreach\\.ps1|.*.*\\Get-SiteListPassword\\.ps1|.*.*\\Get-System\\.ps1|.*.*\\Invoke-BypassUAC\\.ps1|.*.*\\Invoke-Tater\\.ps1|.*.*\\Invoke-WScriptBypassUAC\\.ps1|.*.*\\PowerUp\\.ps1|.*.*\\PowerView\\.ps1|.*.*\\Get-RickAstley\\.ps1|.*.*\\Find-Fruit\\.ps1|.*.*\\HTTP-Login\\.ps1|.*.*\\Find-TrustedDocuments\\.ps1|.*.*\\Invoke-Paranoia\\.ps1|.*.*\\Invoke-WinEnum\\.ps1|.*.*\\Invoke-ARPScan\\.ps1|.*.*\\Invoke-PortScan\\.ps1|.*.*\\Invoke-ReverseDNSLookup\\.ps1|.*.*\\Invoke-SMBScanner\\.ps1|.*.*\\Invoke-Mimikittenz\\.ps1)))'
```

112
Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md Normal file
View File

@ -0,0 +1,112 @@
| Title | PowerShell Network Connections |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>Administrative scripts</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.youtube.com/watch?v=DLtJTxMWZ2o](https://www.youtube.com/watch?v=DLtJTxMWZ2o)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: PowerShell Network Connections
status: experimental
description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"
author: Florian Roth
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\powershell.exe'
filter:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not filter
falsepositives:
- Administrative scripts
level: low
```
### es-qs
```
((EventID:"3" AND Image.keyword:*\\\\powershell.exe) AND NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT\\ AUTHORITY\\\\SYSTEM"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-Network-Connections <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe) AND NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell Network Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND Image:"*\\\\powershell.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.0.0.1") AND DestinationIsIpv6:"false" AND User:"NT AUTHORITY\\\\SYSTEM"))
```
### splunk
```
((EventID="3" Image="*\\\\powershell.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.0.0.1") DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
```
### logpoint
```
((EventID="3" Image="*\\\\powershell.exe") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.0.0.1"] DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\powershell\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\.0\\.0\\.1))(?=.*false)(?=.*NT AUTHORITY\\SYSTEM)))))'
```

101
Atomic_Threat_Coverage/Detection_Rules/sysmon_powersploit_schtasks.md Normal file
View File

@ -0,0 +1,101 @@
| Title | Default PowerSploit Schtasks Persistence |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the creation of a schtask via PowerSploit Default Configuration |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1053: Scheduled Task](https://attack.mitre.org/techniques/T1053)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1053: Scheduled Task](../Triggers/T1053.md)</li><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>False positives are possible, depends on organisation and processes</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1](https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1)</li></ul> |
| Author | Markus Neis |
| Other Tags | <ul><li>attack.s0111</li><li>attack.s0111</li><li>attack.g0022</li><li>attack.g0022</li><li>attack.g0060</li><li>attack.g0060</li></ul> |
## Detection Rules
### Sigma rule
```
title: Default PowerSploit Schtasks Persistence
status: experimental
description: Detects the creation of a schtask via PowerSploit Default Configuration
references:
- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
author: Markus Neis
date: 2018/03/06
logsource:
product: windows
service: sysmon
detection:
selection:
ParentImage:
- '*\Powershell.exe'
CommandLine:
- '*\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*'
- '*\schtasks.exe*/Create*/RU*system*/SC*DAILY*'
- '*\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*'
- '*\schtasks.exe*/Create*/RU*system*/SC*HOURLY*'
condition: selection
tags:
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053
- attack.t1086
- attack.s0111
- attack.g0022
- attack.g0060
falsepositives:
- False positives are possible, depends on organisation and processes
level: high
```
### es-qs
```
(ParentImage.keyword:(*\\\\Powershell.exe) AND CommandLine.keyword:(*\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*ONLOGON* *\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*DAILY* *\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*ONIDLE* *\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*HOURLY*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Default-PowerSploit-Schtasks-Persistence <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(ParentImage.keyword:(*\\\\\\\\Powershell.exe) AND CommandLine.keyword:(*\\\\\\\\schtasks.exe*\\\\/Create*\\\\/RU*system*\\\\/SC*ONLOGON* *\\\\\\\\schtasks.exe*\\\\/Create*\\\\/RU*system*\\\\/SC*DAILY* *\\\\\\\\schtasks.exe*\\\\/Create*\\\\/RU*system*\\\\/SC*ONIDLE* *\\\\\\\\schtasks.exe*\\\\/Create*\\\\/RU*system*\\\\/SC*HOURLY*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Default PowerSploit Schtasks Persistence\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage:("*\\\\Powershell.exe") AND CommandLine:("*\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*ONLOGON*" "*\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*DAILY*" "*\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*ONIDLE*" "*\\\\schtasks.exe*\\/Create*\\/RU*system*\\/SC*HOURLY*"))
```
### splunk
```
((ParentImage="*\\\\Powershell.exe") (CommandLine="*\\\\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*" OR CommandLine="*\\\\schtasks.exe*/Create*/RU*system*/SC*DAILY*" OR CommandLine="*\\\\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*" OR CommandLine="*\\\\schtasks.exe*/Create*/RU*system*/SC*HOURLY*"))
```
### logpoint
```
(ParentImage IN ["*\\\\Powershell.exe"] CommandLine IN ["*\\\\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*", "*\\\\schtasks.exe*/Create*/RU*system*/SC*DAILY*", "*\\\\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*", "*\\\\schtasks.exe*/Create*/RU*system*/SC*HOURLY*"])
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*.*\\Powershell\\.exe))(?=.*(?:.*.*\\schtasks\\.exe.*/Create.*/RU.*system.*/SC.*ONLOGON.*|.*.*\\schtasks\\.exe.*/Create.*/RU.*system.*/SC.*DAILY.*|.*.*\\schtasks\\.exe.*/Create.*/RU.*system.*/SC.*ONIDLE.*|.*.*\\schtasks\\.exe.*/Create.*/RU.*system.*/SC.*HOURLY.*)))'
```

92
Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md Normal file
View File

@ -0,0 +1,92 @@
| Title | QuarksPwDump Dump File |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a dump file written by QuarksPwDump password dumper |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: QuarksPwDump Dump File
status: experimental
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth
date: 2018/02/10
tags:
- attack.credential_access
- attack.t1003
level: critical
logsource:
product: windows
service: sysmon
detection:
selection:
# Sysmon: File Creation (ID 11)
EventID: 11
TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
condition: selection
falsepositives:
- Unknown
```
### es-qs
```
(EventID:"11" AND TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/QuarksPwDump-Dump-File <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SAM\\\\-*.dmp*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'QuarksPwDump Dump File\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"11" AND TargetFilename:"*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*")
```
### splunk
```
(EventID="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
```
### logpoint
```
(EventID="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
```
### grep
```
grep -P '^(?:.*(?=.*11)(?=.*.*\\AppData\\Local\\Temp\\SAM-.*\\.dmp.*))'
```

94
Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md Normal file
View File

@ -0,0 +1,94 @@
| Title | RDP over Reverse SSH Tunnel |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1076: Remote Desktop Protocol](../Triggers/T1076.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/SBousseaden/status/1096148422984384514](https://twitter.com/SBousseaden/status/1096148422984384514)</li></ul> |
| Author | Samir Bousseaden |
## Detection Rules
### Sigma rule
```
title: RDP over Reverse SSH Tunnel
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1076
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\svchost.exe'
SourcePort: 3389
DestinationIp:
- '127.*'
- '::1'
condition: selection
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND SourcePort:"3389" AND DestinationIp.keyword:(127.* \\:\\:1))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/RDP-over-Reverse-SSH-Tunnel <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* \\\\:\\\\:1))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND Image:"*\\\\svchost.exe" AND SourcePort:"3389" AND DestinationIp:("127.*" "\\:\\:1"))
```
### splunk
```
(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" (DestinationIp="127.*" OR DestinationIp="::1"))
```
### logpoint
```
(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" DestinationIp IN ["127.*", "::1"])
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*.*\\svchost\\.exe)(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))'
```

112
Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md Normal file
View File

@ -0,0 +1,112 @@
| Title | Rundll32 Internet Connection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a rundll32 that communicates with public IP addresses |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Communication to other corporate systems that use IP addresses from public address spaces</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100](https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Rundll32 Internet Connection
status: experimental
description: Detects a rundll32 that communicates with public IP addresses
references:
- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth
date: 2017/11/04
tags:
- attack.t1085
- attack.defense_evasion
- attack.execution
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\rundll32.exe'
filter:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.*'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
```
### es-qs
```
((EventID:"3" AND Image.keyword:*\\\\rundll32.exe) AND NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Rundll32-Internet-Connection <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe) AND NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*)))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Rundll32 Internet Connection\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"3" AND Image:"*\\\\rundll32.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*")))
```
### splunk
```
((EventID="3" Image="*\\\\rundll32.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*")))
```
### logpoint
```
((EventID="3" Image="*\\\\rundll32.exe") -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\rundll32\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))))))'
```

97
Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md Normal file
View File

@ -0,0 +1,97 @@
| Title | Security Support Provider (SSP) added to LSA configuration |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1011: Exfiltration Over Other Network Medium](https://attack.mitre.org/techniques/T1011)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Trigger | <ul><li>[T1011: Exfiltration Over Other Network Medium](../Triggers/T1011.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://attack.mitre.org/techniques/T1101/](https://attack.mitre.org/techniques/T1101/)</li><li>[https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/](https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/)</li></ul> |
| Author | iwillkeepwatch |
## Detection Rules
### Sigma rule
```
title: Security Support Provider (SSP) added to LSA configuration
status: experimental
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://attack.mitre.org/techniques/T1101/
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
tags:
- attack.persistence
- attack.t1011
author: iwillkeepwatch
date: 2019/01/18
logsource:
product: windows
service: sysmon
detection:
selection_registry:
EventID: 13
TargetObject:
- 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
- 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
exclusion_images:
- Image: C:\Windows\system32\msiexec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
condition: selection_registry and not exclusion_images
falsepositives:
- Unlikely
level: critical
```
### es-qs
```
((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages")) AND NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Security-Support-Provider-SSP-added-to-LSA-configuration <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"13\\" AND TargetObject:(\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security\\\\ Packages\\" \\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security\\\\ Packages\\")) AND NOT (Image:\\"C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\" OR Image:\\"C\\\\:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\MsiExec.exe\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Security Support Provider (SSP) added to LSA configuration\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) AND NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
```
### splunk
```
((EventID="13" (TargetObject="HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" OR TargetObject="HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) NOT (Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
```
### logpoint
```
((EventID="13" TargetObject IN ["HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages", "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages"]) -(Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*13)(?=.*(?:.*HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages|.*HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages))))(?=.*(?!.*(?:.*(?:.*(?=.*C:\\Windows\\system32\\msiexec\\.exe)|.*(?=.*C:\\Windows\\syswow64\\MsiExec\\.exe))))))'
```

116
Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md Normal file
View File

@ -0,0 +1,116 @@
| Title | Sticky Key Like Backdoor Usage |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1015: Accessibility Features](../Triggers/T1015.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | |
| References | <ul><li>[https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/](https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)</li></ul> |
| Author | Florian Roth, @twjackomo |
## Detection Rules
### Sigma rule
```
---
action: global
title: Sticky Key Like Backdoor Usage
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1015
author: Florian Roth, @twjackomo
date: 2018/03/15
detection:
condition: 1 of them
falsepositives:
- Unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection_registry:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue'
---
logsource:
category: process_creation
product: windows
detection:
selection_process:
ParentImage:
- '*\winlogon.exe'
CommandLine:
- '*\cmd.exe sethc.exe *'
- '*\cmd.exe utilman.exe *'
- '*\cmd.exe osk.exe *'
- '*\cmd.exe Magnify.exe *'
- '*\cmd.exe Narrator.exe *'
- '*\cmd.exe DisplaySwitch.exe *'
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\Magnify.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\Narrator.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\DisplaySwitch.exe\\\\Debugger) AND EventType:"SetValue")\n(ParentImage.keyword:(*\\\\winlogon.exe) AND CommandLine.keyword:(*\\\\cmd.exe\\ sethc.exe\\ * *\\\\cmd.exe\\ utilman.exe\\ * *\\\\cmd.exe\\ osk.exe\\ * *\\\\cmd.exe\\ Magnify.exe\\ * *\\\\cmd.exe\\ Narrator.exe\\ * *\\\\cmd.exe\\ DisplaySwitch.exe\\ *))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Sticky-Key-Like-Backdoor-Usage <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\sethc.exe\\\\\\\\Debugger *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\utilman.exe\\\\\\\\Debugger *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\osk.exe\\\\\\\\Debugger *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\Magnify.exe\\\\\\\\Debugger *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\Narrator.exe\\\\\\\\Debugger *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\ NT\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\DisplaySwitch.exe\\\\\\\\Debugger) AND EventType:\\"SetValue\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Sticky Key Like Backdoor Usage\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Sticky-Key-Like-Backdoor-Usage-2 <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(ParentImage.keyword:(*\\\\\\\\winlogon.exe) AND CommandLine.keyword:(*\\\\\\\\cmd.exe\\\\ sethc.exe\\\\ * *\\\\\\\\cmd.exe\\\\ utilman.exe\\\\ * *\\\\\\\\cmd.exe\\\\ osk.exe\\\\ * *\\\\\\\\cmd.exe\\\\ Magnify.exe\\\\ * *\\\\\\\\cmd.exe\\\\ Narrator.exe\\\\ * *\\\\\\\\cmd.exe\\\\ DisplaySwitch.exe\\\\ *))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Sticky Key Like Backdoor Usage\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger") AND EventType:"SetValue")\n(ParentImage:("*\\\\winlogon.exe") AND CommandLine:("*\\\\cmd.exe sethc.exe *" "*\\\\cmd.exe utilman.exe *" "*\\\\cmd.exe osk.exe *" "*\\\\cmd.exe Magnify.exe *" "*\\\\cmd.exe Narrator.exe *" "*\\\\cmd.exe DisplaySwitch.exe *"))
```
### splunk
```
(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger") EventType="SetValue")\n((ParentImage="*\\\\winlogon.exe") (CommandLine="*\\\\cmd.exe sethc.exe *" OR CommandLine="*\\\\cmd.exe utilman.exe *" OR CommandLine="*\\\\cmd.exe osk.exe *" OR CommandLine="*\\\\cmd.exe Magnify.exe *" OR CommandLine="*\\\\cmd.exe Narrator.exe *" OR CommandLine="*\\\\cmd.exe DisplaySwitch.exe *"))
```
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger"] EventType="SetValue")\n(ParentImage IN ["*\\\\winlogon.exe"] CommandLine IN ["*\\\\cmd.exe sethc.exe *", "*\\\\cmd.exe utilman.exe *", "*\\\\cmd.exe osk.exe *", "*\\\\cmd.exe Magnify.exe *", "*\\\\cmd.exe Narrator.exe *", "*\\\\cmd.exe DisplaySwitch.exe *"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc\\.exe\\Debugger|.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman\\.exe\\Debugger|.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk\\.exe\\Debugger|.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify\\.exe\\Debugger|.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator\\.exe\\Debugger|.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch\\.exe\\Debugger))(?=.*SetValue))'\ngrep -P '^(?:.*(?=.*(?:.*.*\\winlogon\\.exe))(?=.*(?:.*.*\\cmd\\.exe sethc\\.exe .*|.*.*\\cmd\\.exe utilman\\.exe .*|.*.*\\cmd\\.exe osk\\.exe .*|.*.*\\cmd\\.exe Magnify\\.exe .*|.*.*\\cmd\\.exe Narrator\\.exe .*|.*.*\\cmd\\.exe DisplaySwitch\\.exe .*)))'
```

86
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md Normal file
View File

@ -0,0 +1,86 @@
| Title | Suspicious Driver Load from Temp |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a driver load from a temporary directory |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul> |
| Data Needed | <ul><li>[DN_0010_6_windows_sysmon_driver_loaded](../Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md)</li></ul> |
| Trigger | <ul><li>[T1050: New Service](../Triggers/T1050.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>there is a relevant set of false positives depending on applications in the environment</li></ul> |
| Development Status | |
| References | <ul></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious Driver Load from Temp
description: Detects a driver load from a temporary directory
author: Florian Roth
tags:
- attack.persistence
- attack.t1050
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
ImageLoaded: '*\Temp\\*'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
level: medium
```
### es-qs
```
(EventID:"6" AND ImageLoaded.keyword:*\\\\Temp\\\\*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-Driver-Load-from-Temp <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"6\\" AND ImageLoaded.keyword:*\\\\\\\\Temp\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious Driver Load from Temp\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"6" AND ImageLoaded:"*\\\\Temp\\\\*")
```
### splunk
```
(EventID="6" ImageLoaded="*\\\\Temp\\\\*")
```
### logpoint
```
(EventID="6" ImageLoaded="*\\\\Temp\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*6)(?=.*.*\\Temp\\\\.*))'
```

101
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md Normal file
View File

@ -0,0 +1,101 @@
| Title | Suspicious File Characteristics due to Missing Fields |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://securelist.com/muddywater/88059/](https://securelist.com/muddywater/88059/)</li><li>[https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection](https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection)</li></ul> |
| Author | Markus Neis |
## Detection Rules
### Sigma rule
```
title: Suspicious File Characteristics due to Missing Fields
description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
status: experimental
references:
- https://securelist.com/muddywater/88059/
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis
date: 2018/11/22
tags:
- attack.defense_evasion
- attack.execution
- attack.t1064
logsource:
product: windows
service: sysmon
detection:
selection1:
Description: '\?'
FileVersion: '\?'
selection2:
Description: '\?'
Product: '\?'
selection3:
Description: '\?'
Company: '\?'
condition: 1 of them
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
```
### es-qs
```
(Description:"\\?" AND (FileVersion:"\\?" OR Product:"\\?" OR Company:"\\?"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-File-Characteristics-due-to-Missing-Fields <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(Description:\\"\\\\?\\" AND (FileVersion:\\"\\\\?\\" OR Product:\\"\\\\?\\" OR Company:\\"\\\\?\\"))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious File Characteristics due to Missing Fields\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(Description:"\\?" AND (FileVersion:"\\?" OR Product:"\\?" OR Company:"\\?"))
```
### splunk
```
(Description="\\?" (FileVersion="\\?" OR Product="\\?" OR Company="\\?")) | table CommandLine,ParentCommandLine
```
### logpoint
```
(Description="\\?" (FileVersion="\\?" OR Product="\\?" OR Company="\\?"))
```
### grep
```
grep -P '^(?:.*(?=.*\\?)(?=.*(?:.*(?:.*\\?|.*\\?|.*\\?))))'
```

94
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md Normal file
View File

@ -0,0 +1,94 @@
| Title | Possible Process Hollowing Image Loading |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Very likely, needs more tuning</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html)</li></ul> |
| Author | Markus Neis |
## Detection Rules
### Sigma rule
```
title: Possible Process Hollowing Image Loading
status: experimental
description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
references:
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
author: Markus Neis
date: 2018/01/07
tags:
- attack.defense_evasion
- attack.t1073
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\notepad.exe'
ImageLoaded:
- '*\samlib.dll'
- '*\WinSCard.dll'
condition: selection
falsepositives:
- Very likely, needs more tuning
level: high
```
### es-qs
```
(EventID:"7" AND Image.keyword:(*\\\\notepad.exe) AND ImageLoaded.keyword:(*\\\\samlib.dll *\\\\WinSCard.dll))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Possible-Process-Hollowing-Image-Loading <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\notepad.exe) AND ImageLoaded.keyword:(*\\\\\\\\samlib.dll *\\\\\\\\WinSCard.dll))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Possible Process Hollowing Image Loading\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"7" AND Image:("*\\\\notepad.exe") AND ImageLoaded:("*\\\\samlib.dll" "*\\\\WinSCard.dll"))
```
### splunk
```
(EventID="7" (Image="*\\\\notepad.exe") (ImageLoaded="*\\\\samlib.dll" OR ImageLoaded="*\\\\WinSCard.dll"))
```
### logpoint
```
(EventID="7" Image IN ["*\\\\notepad.exe"] ImageLoaded IN ["*\\\\samlib.dll", "*\\\\WinSCard.dll"])
```
### grep
```
grep -P '^(?:.*(?=.*7)(?=.*(?:.*.*\\notepad\\.exe))(?=.*(?:.*.*\\samlib\\.dll|.*.*\\WinSCard\\.dll)))'
```

93
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md Normal file
View File

@ -0,0 +1,93 @@
| Title | PowerShell Rundll32 Remote Thread Creation |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects PowerShell remote thread creation in Rundll32.exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0012_8_windows_sysmon_CreateRemoteThread](../Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md)</li></ul> |
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unkown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html](https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: PowerShell Rundll32 Remote Thread Creation
status: experimental
description: Detects PowerShell remote thread creation in Rundll32.exe
author: Florian Roth
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
date: 2018/06/25
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
SourceImage: '*\powershell.exe'
TargetImage: '*\rundll32.exe'
condition: selection
tags:
- attack.defense_evasion
- attack.execution
- attack.t1085
- attack.t1086
falsepositives:
- Unkown
level: high
```
### es-qs
```
(EventID:"8" AND SourceImage.keyword:*\\\\powershell.exe AND TargetImage.keyword:*\\\\rundll32.exe)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/PowerShell-Rundll32-Remote-Thread-Creation <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"8\\" AND SourceImage.keyword:*\\\\\\\\powershell.exe AND TargetImage.keyword:*\\\\\\\\rundll32.exe)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'PowerShell Rundll32 Remote Thread Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"8" AND SourceImage:"*\\\\powershell.exe" AND TargetImage:"*\\\\rundll32.exe")
```
### splunk
```
(EventID="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
```
### logpoint
```
(EventID="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
```
### grep
```
grep -P '^(?:.*(?=.*8)(?=.*.*\\powershell\\.exe)(?=.*.*\\rundll32\\.exe))'
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md Normal file
View File

@ -0,0 +1,98 @@
| Title | Suspicious Program Location with Network Connections |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects programs with network connections running in suspicious files system locations |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo](https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Suspicious Program Location with Network Connections
status: experimental
description: Detects programs with network connections running in suspicious files system locations
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
EventID: 3
Image:
# - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- '*\$Recycle.bin'
- '*\Users\All Users\\*'
- '*\Users\Default\\*'
- '*\Users\Public\\*'
- 'C:\Perflogs\\*'
- '*\config\systemprofile\\*'
- '*\Windows\Fonts\\*'
- '*\Windows\IME\\*'
- '*\Windows\addins\\*'
condition: selection
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"3" AND Image.keyword:(*\\\\$Recycle.bin *\\\\Users\\\\All\\ Users\\\\* *\\\\Users\\\\Default\\\\* *\\\\Users\\\\Public\\\\* C\\:\\\\Perflogs\\\\* *\\\\config\\\\systemprofile\\\\* *\\\\Windows\\\\Fonts\\\\* *\\\\Windows\\\\IME\\\\* *\\\\Windows\\\\addins\\\\*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Suspicious-Program-Location-with-Network-Connections <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"3\\" AND Image.keyword:(*\\\\\\\\$Recycle.bin *\\\\\\\\Users\\\\\\\\All\\\\ Users\\\\\\\\* *\\\\\\\\Users\\\\\\\\Default\\\\\\\\* *\\\\\\\\Users\\\\\\\\Public\\\\\\\\* C\\\\:\\\\\\\\Perflogs\\\\\\\\* *\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\* *\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* *\\\\\\\\Windows\\\\\\\\IME\\\\\\\\* *\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious Program Location with Network Connections\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND Image:("*\\\\$Recycle.bin" "*\\\\Users\\\\All Users\\\\*" "*\\\\Users\\\\Default\\\\*" "*\\\\Users\\\\Public\\\\*" "C\\:\\\\Perflogs\\\\*" "*\\\\config\\\\systemprofile\\\\*" "*\\\\Windows\\\\Fonts\\\\*" "*\\\\Windows\\\\IME\\\\*" "*\\\\Windows\\\\addins\\\\*"))
```
### splunk
```
(EventID="3" (Image="*\\\\$Recycle.bin" OR Image="*\\\\Users\\\\All Users\\\\*" OR Image="*\\\\Users\\\\Default\\\\*" OR Image="*\\\\Users\\\\Public\\\\*" OR Image="C:\\\\Perflogs\\\\*" OR Image="*\\\\config\\\\systemprofile\\\\*" OR Image="*\\\\Windows\\\\Fonts\\\\*" OR Image="*\\\\Windows\\\\IME\\\\*" OR Image="*\\\\Windows\\\\addins\\\\*"))
```
### logpoint
```
(EventID="3" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*\\\\$Recycle\\.bin|.*.*\\Users\\All Users\\\\.*|.*.*\\Users\\Default\\\\.*|.*.*\\Users\\Public\\\\.*|.*C:\\Perflogs\\\\.*|.*.*\\config\\systemprofile\\\\.*|.*.*\\Windows\\Fonts\\\\.*|.*.*\\Windows\\IME\\\\.*|.*.*\\Windows\\addins\\\\.*)))'
```

103
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md Normal file
View File

@ -0,0 +1,103 @@
| Title | Registry Persistence via Explorer Run Key |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1060: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1060)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Trigger | <ul><li>[T1060: Registry Run Keys / Startup Folder](../Triggers/T1060.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/](https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>capec.270</li><li>capec.270</li></ul> |
## Detection Rules
### Sigma rule
```
title: Registry Persistence via Explorer Run Key
status: experimental
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder
author: Florian Roth
date: 2018/07/18
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details:
- 'C:\Windows\Temp\\*'
- 'C:\ProgramData\\*'
- '*\AppData\\*'
- 'C:\$Recycle.bin\\*'
- 'C:\Temp\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
condition: selection
tags:
- attack.persistence
- attack.t1060
- capec.270
fields:
- Image
- ParentImage
falsepositives:
- Unknown
level: high
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\ProgramData\\\\* *\\\\AppData\\\\* C\\:\\\\$Recycle.bin\\\\* C\\:\\\\Temp\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Registry-Persistence-via-Explorer-Run-Key <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* C\\\\:\\\\\\\\ProgramData\\\\\\\\* *\\\\\\\\AppData\\\\\\\\* C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* C\\\\:\\\\\\\\Temp\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Registry Persistence via Explorer Run Key\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n Image = {{_source.Image}}\\nParentImage = {{_source.ParentImage}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "C\\:\\\\ProgramData\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*"))
```
### splunk
```
(EventID="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" (Details="C:\\\\Windows\\\\Temp\\\\*" OR Details="C:\\\\ProgramData\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="C:\\\\$Recycle.bin\\\\*" OR Details="C:\\\\Temp\\\\*" OR Details="C:\\\\Users\\\\Public\\\\*" OR Details="C:\\\\Users\\\\Default\\\\*")) | table Image,ParentImage
```
### logpoint
```
(EventID="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" Details IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\ProgramData\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*.*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run)(?=.*(?:.*C:\\Windows\\Temp\\\\.*|.*C:\\ProgramData\\\\.*|.*.*\\AppData\\\\.*|.*C:\\\\$Recycle\\.bin\\\\.*|.*C:\\Temp\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*)))'
```

102
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md Normal file
View File

@ -0,0 +1,102 @@
| Title | New RUN Key Pointing to Suspicious Folder |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1060: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1060)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Trigger | <ul><li>[T1060: Registry Run Keys / Startup Folder](../Triggers/T1060.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Software with rare behaviour</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html](https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html)</li></ul> |
| Author | Florian Roth, Markus Neis |
## Detection Rules
### Sigma rule
```
title: New RUN Key Pointing to Suspicious Folder
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
Details:
- 'C:\Windows\Temp\\*'
- '*\AppData\\*'
- 'C:\$Recycle.bin\\*'
- 'C:\Temp\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- 'C:\Users\Desktop\\*'
condition: selection
fields:
- Image
falsepositives:
- Software with rare behaviour
level: high
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* *\\\\AppData\\\\* C\\:\\\\$Recycle.bin\\\\* C\\:\\\\Temp\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\* C\\:\\\\Users\\\\Desktop\\\\*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/New-RUN-Key-Pointing-to-Suspicious-Folder <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* *\\\\\\\\AppData\\\\\\\\* C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* C\\\\:\\\\\\\\Temp\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'New RUN Key Pointing to Suspicious Folder\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nImage = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*" "C\\:\\\\Users\\\\Desktop\\\\*"))
```
### splunk
```
(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") (Details="C:\\\\Windows\\\\Temp\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="C:\\\\$Recycle.bin\\\\*" OR Details="C:\\\\Temp\\\\*" OR Details="C:\\\\Users\\\\Public\\\\*" OR Details="C:\\\\Users\\\\Default\\\\*" OR Details="C:\\\\Users\\\\Desktop\\\\*")) | table Image
```
### logpoint
```
(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"] Details IN ["C:\\\\Windows\\\\Temp\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "C:\\\\Users\\\\Desktop\\\\*"])
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*|.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\.*))(?=.*(?:.*C:\\Windows\\Temp\\\\.*|.*.*\\AppData\\\\.*|.*C:\\\\$Recycle\\.bin\\\\.*|.*C:\\Temp\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*C:\\Users\\Desktop\\\\.*)))'
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md Normal file
View File

@ -0,0 +1,98 @@
| Title | Usage of Sysinternals Tools |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | low |
| False Positives | <ul><li>Legitimate use of SysInternals tools</li><li>Programs that use the same Registry Key</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/Moti_B/status/1008587936735035392](https://twitter.com/Moti_B/status/1008587936735035392)</li></ul> |
| Author | Markus Neis |
## Detection Rules
### Sigma rule
```
---
action: global
title: Usage of Sysinternals Tools
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
TargetObject: '*\EulaAccepted'
---
logsource:
category: process_creation
product: windows
detection:
selection2:
CommandLine: '* -accepteula*'
```
### es-qs
```
(EventID:"13" AND TargetObject.keyword:*\\\\EulaAccepted)\nCommandLine.keyword:*\\ \\-accepteula*
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Usage-of-Sysinternals-Tools <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\EulaAccepted)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Usage of Sysinternals Tools\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Usage-of-Sysinternals-Tools-2 <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "CommandLine.keyword:*\\\\ \\\\-accepteula*",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Usage of Sysinternals Tools\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:"*\\\\EulaAccepted")\nCommandLine:"* \\-accepteula*"
```
### splunk
```
(EventID="13" TargetObject="*\\\\EulaAccepted")\nCommandLine="* -accepteula*"
```
### logpoint
```
(EventID="13" TargetObject="*\\\\EulaAccepted")\nCommandLine="* -accepteula*"
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*.*\\EulaAccepted))'\ngrep -P '^.* -accepteula.*'
```

98
Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md Normal file
View File

@ -0,0 +1,98 @@
| Title | UAC Bypass via Event Viewer |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects UAC bypass method using Windows event viewer |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1088: Bypass User Account Control](../Triggers/T1088.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)</li><li>[https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100](https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: UAC Bypass via Event Viewer
status: experimental
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
methregistry:
EventID: 13
TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command'
methprocess:
EventID: 1 # Migration to process_creation requires multipart YAML
ParentImage: '*\eventvwr.exe'
filterprocess:
Image: '*\mmc.exe'
condition: methregistry or ( methprocess and not filterprocess )
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
falsepositives:
- unknown
level: critical
```
### es-qs
```
((EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID:"1" AND ParentImage.keyword:*\\\\eventvwr.exe) AND NOT (Image.keyword:*\\\\mmc.exe)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/UAC-Bypass-via-Event-Viewer <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"13\\" AND TargetObject:\\"HKEY_USERS\\\\\\\\*\\\\\\\\mscfile\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\") OR ((EventID:\\"1\\" AND ParentImage.keyword:*\\\\\\\\eventvwr.exe) AND NOT (Image.keyword:*\\\\\\\\mmc.exe)))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'UAC Bypass via Event Viewer\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID:"1" AND ParentImage:"*\\\\eventvwr.exe") AND NOT (Image:"*\\\\mmc.exe")))
```
### splunk
```
((EventID="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID="1" ParentImage="*\\\\eventvwr.exe") NOT (Image="*\\\\mmc.exe"))) | table CommandLine,ParentCommandLine
```
### logpoint
```
((EventID="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID="1" ParentImage="*\\\\eventvwr.exe") -(Image="*\\\\mmc.exe")))
```
### grep
```
grep -P '^(?:.*(?:.*(?:.*(?=.*13)(?=.*HKEY_USERS\\\\.*\\mscfile\\shell\\open\\command))|.*(?:.*(?=.*(?:.*(?=.*1)(?=.*.*\\eventvwr\\.exe)))(?=.*(?!.*(?:.*(?=.*.*\\mmc\\.exe)))))))'
```

91
Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md Normal file
View File

@ -0,0 +1,91 @@
| Title | UAC Bypass via sdclt |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Trigger | <ul><li>[T1088: Bypass User Account Control](../Triggers/T1088.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/](https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/)</li></ul> |
| Author | Omer Yampel |
## Detection Rules
### Sigma rule
```
title: UAC Bypass via sdclt
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
falsepositives:
- unknown
level: high
```
### es-qs
```
(EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/UAC-Bypass-via-sdclt <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"13\\" AND TargetObject:\\"HKEY_USERS\\\\\\\\*\\\\\\\\Classes\\\\\\\\exefile\\\\\\\\shell\\\\\\\\runas\\\\\\\\command\\\\\\\\isolatedCommand\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'UAC Bypass via sdclt\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
```
### splunk
```
(EventID="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
```
### logpoint
```
(EventID="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
```
### grep
```
grep -P '^(?:.*(?=.*13)(?=.*HKEY_USERS\\\\.*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand))'
```

95
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md Normal file
View File

@ -0,0 +1,95 @@
| Title | Microsoft Binary Github Communication |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects an executable in the Windows folder accessing github.com |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1105: Remote File Copy](https://attack.mitre.org/techniques/T1105)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1105: Remote File Copy](../Triggers/T1105.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li><li>@subTee in your network</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/M_haggis/status/900741347035889665](https://twitter.com/M_haggis/status/900741347035889665)</li><li>[https://twitter.com/M_haggis/status/1032799638213066752](https://twitter.com/M_haggis/status/1032799638213066752)</li></ul> |
| Author | Michael Haag (idea), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Microsoft Binary Github Communication
status: experimental
description: Detects an executable in the Windows folder accessing github.com
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
author: Michael Haag (idea), Florian Roth (rule)
tags:
- attack.lateral_movement
- attack.t1105
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationHostname:
- '*.github.com'
- '*.githubusercontent.com'
Image: 'C:\Windows\\*'
condition: selection
falsepositives:
- 'Unknown'
- '@subTee in your network'
level: high
```
### es-qs
```
(EventID:"3" AND DestinationHostname.keyword:(*.github.com *.githubusercontent.com) AND Image:"C\\:\\\\Windows\\\\*")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Microsoft-Binary-Github-Communication <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*.github.com *.githubusercontent.com) AND Image:\\"C\\\\:\\\\\\\\Windows\\\\\\\\*\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Microsoft Binary Github Communication\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND DestinationHostname:("*.github.com" "*.githubusercontent.com") AND Image:"C\\:\\\\Windows\\\\*")
```
### splunk
```
(EventID="3" (DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
```
### logpoint
```
(EventID="3" DestinationHostname IN ["*.github.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*\\.github\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
```

95
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md Normal file
View File

@ -0,0 +1,95 @@
| Title | Microsoft Binary Suspicious Communication Endpoint |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects an executable in the Windows folder accessing suspicious domains |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1105: Remote File Copy](https://attack.mitre.org/techniques/T1105)</li></ul> |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Trigger | <ul><li>[T1105: Remote File Copy](../Triggers/T1105.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/M_haggis/status/900741347035889665](https://twitter.com/M_haggis/status/900741347035889665)</li><li>[https://twitter.com/M_haggis/status/1032799638213066752](https://twitter.com/M_haggis/status/1032799638213066752)</li></ul> |
| Author | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Microsoft Binary Suspicious Communication Endpoint
status: experimental
description: Detects an executable in the Windows folder accessing suspicious domains
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
author: Florian Roth
date: 2018/08/30
tags:
- attack.lateral_movement
- attack.t1105
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationHostname:
- '*dl.dropboxusercontent.com'
- '*.pastebin.com'
Image: 'C:\Windows\\*'
condition: selection
falsepositives:
- 'Unknown'
level: high
```
### es-qs
```
(EventID:"3" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com *.pastebin.com) AND Image:"C\\:\\\\Windows\\\\*")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Microsoft-Binary-Suspicious-Communication-Endpoint <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com *.pastebin.com) AND Image:\\"C\\\\:\\\\\\\\Windows\\\\\\\\*\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Microsoft Binary Suspicious Communication Endpoint\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"3" AND DestinationHostname:("*dl.dropboxusercontent.com" "*.pastebin.com") AND Image:"C\\:\\\\Windows\\\\*")
```
### splunk
```
(EventID="3" (DestinationHostname="*dl.dropboxusercontent.com" OR DestinationHostname="*.pastebin.com") Image="C:\\\\Windows\\\\*")
```
### logpoint
```
(EventID="3" DestinationHostname IN ["*dl.dropboxusercontent.com", "*.pastebin.com"] Image="C:\\\\Windows\\\\*")
```
### grep
```
grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*dl\\.dropboxusercontent\\.com|.*.*\\.pastebin\\.com))(?=.*C:\\Windows\\\\.*))'
```

Some files were not shown because too many files have changed in this diff Show More