diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml similarity index 92% rename from rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml rename to deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml index b1b6c4c57c3..f18f5e95d7f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,12 +1,12 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 -status: experimental -description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location +status: deprecated +description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location. references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 -modified: 2023/09/28 +modified: 2024/07/16 tags: - attack.persistence - attack.t1546.015 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml new file mode 100644 index 00000000000..914e5b02c97 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml @@ -0,0 +1,33 @@ +title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 +id: 6c7defa9-69f8-4c34-b815-41fce3931754 +status: experimental +description: | + Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21. +references: + - https://www.tenable.com/security/research/tra-2023-11 + - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py + - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain +date: 2024/06/25 +tags: + - detection.emerging_threats + - attack.initial_access + - attack.t1190 + - cve.2023.1389 +logsource: + category: proxy +detection: + selection_uri: + cs-method: + - 'GET' + - 'POST' + cs-uri|contains|all: + - '/cgi-bin/luci/;stok=/locale' + - 'form=country' + selection_keyword: + - 'operation=write' + - 'country=$(' + condition: all of selection_* +falsepositives: + - Vulnerability Scanners +level: medium diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml index e74e876fe7b..25f916ae77c 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml @@ -8,6 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024/04/23 +modified: 2024/07/11 tags: - attack.defense_evasion - attack.t1562.002 @@ -28,8 +29,8 @@ detection: - 'C:\ProgramData\UbiSoft\v' - 'C:\ProgramData\Steam\v' TargetFilename|contains: - - '\pnms003.inf_' - - '\pnms009.inf_' + - '\prnms003.inf_' + - '\prnms009.inf_' selection_programdata_main: TargetFilename|startswith: 'C:\ProgramData\' selection_programdata_files_1: diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 7c1c903545e..606322b7ee1 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -1,9 +1,9 @@ title: Creation of an Executable by an Executable id: 297afac9-5d02-4138-8c58-b977bac60556 status: experimental -description: Detects the creation of an executable by another executable +description: Detects the creation of an executable by another executable. references: - - Malware Sandbox + - Internal Research author: frack113 date: 2022/03/09 modified: 2023/11/06 diff --git a/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml similarity index 90% rename from rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml index 4dbe479edd7..844c7f35293 100644 --- a/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml @@ -2,7 +2,7 @@ title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address id: cfed2f44-16df-4bf3-833a-79405198b277 status: test description: | - Detects dllhost initiating a network connection to a non-local IP address. + Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment. references: @@ -10,12 +10,13 @@ references: - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: bartblaze date: 2020/07/13 -modified: 2024/03/12 +modified: 2024/07/16 tags: - attack.defense_evasion - attack.t1218 - attack.execution - attack.t1559.001 + - detection.threat_hunting logsource: category: network_connection product: windows @@ -42,6 +43,7 @@ detection: - '51.103.0.0/16' # Microsoft Corporation - '51.104.0.0/15' # Microsoft Corporation - '52.224.0.0/11' # Microsoft Corporation + - '150.171.0.0/19' # Microsoft Corporation - '204.79.197.0/24' # Microsoft Corporation' condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_msiexec_http.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml similarity index 72% rename from rules/windows/network_connection/net_connection_win_msiexec_http.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml index 8df6c6a27a0..245440121c2 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec_http.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml @@ -2,17 +2,19 @@ title: Msiexec.EXE Initiated Network Connection Over HTTP id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f status: test description: | - Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. + Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. + Use this rule to hunt for potentially anomalous or suspicious communications. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 date: 2022/01/16 -modified: 2024/02/01 +modified: 2024/07/16 tags: - attack.defense_evasion - attack.t1218.007 + - detection.threat_hunting logsource: category: network_connection product: windows @@ -25,5 +27,5 @@ detection: - 443 condition: selection falsepositives: - - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required. -level: high + - Likely +level: low diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml new file mode 100644 index 00000000000..b7ec400670f --- /dev/null +++ b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml @@ -0,0 +1,56 @@ +title: Potential Shellcode Injection +id: 250ae82f-736e-4844-a68b-0b5e8cc887da +status: test +description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject. +references: + - https://github.com/EmpireProject/PSInject +author: Bhabesh Raj +date: 2022/03/11 +modified: 2024/07/02 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 + - detection.threat_hunting +logsource: + category: process_access + product: windows +detection: + selection: + GrantedAccess: + - '0x147a' + - '0x1f3fff' + CallTrace|contains: 'UNKNOWN' + filter_main_wmiprvse: + SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe' + TargetImage: 'C:\Windows\system32\lsass.exe' + filter_optional_dell_folders: + # If dell software is installed we get matches like these + # Example 1: + # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 2: + # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 3: + # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # GrantedAccess: 0x1F3FFF + SourceImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + TargetImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + filter_optional_dell_specifc: + SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe' + TargetImage: 'C:\Windows\Explorer.EXE' + filter_optional_visual_studio: + SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml similarity index 94% rename from rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index 1efaeec02ff..d09b0e94f04 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -6,9 +6,11 @@ references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/03/10 +modified: 2024/07/16 tags: - attack.collection - attack.t1560.001 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -30,4 +32,4 @@ detection: condition: all of selection_* falsepositives: - Legitimate activity is expected since extracting files with a password can be common in some environment. -level: medium +level: low diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index dbf7baf8eee..36105803233 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -1,15 +1,18 @@ title: Potentially Suspicious PowerShell Child Processes id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647 status: test -description: Detects potentially suspicious child processes spawned by PowerShell +description: | + Detects potentially suspicious child processes spawned by PowerShell. + Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 author: Florian Roth (Nextron Systems), Tim Shelton date: 2022/04/26 -modified: 2023/05/30 +modified: 2024/07/16 tags: - attack.execution - attack.t1059.001 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -38,7 +41,19 @@ detection: filter_optional_amazon: ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces - condition: selection and not 1 of filter_optional_* + filter_main_certutil_verify_store: + Image|endswith: '\certutil.exe' + CommandLine|contains: '-verifystore ' + filter_main_wmic: + Image|endswith: '\wmic.exe' + CommandLine|contains: + - 'qfe list' + - 'diskdrive ' + - 'csproduct ' + - 'computersystem ' + - ' os ' + - '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed. -level: high + - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml similarity index 79% rename from rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml index bd831bf33f3..ed303b33ce3 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -1,7 +1,7 @@ -title: Suspicious Call by Ordinal +title: DLL Call by Ordinal Via Rundll32.EXE id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c status: stable -description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal +description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll. references: - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ - https://github.com/Neo23x0/DLLRunner @@ -9,10 +9,11 @@ references: - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ author: Florian Roth (Nextron Systems) date: 2019/10/22 -modified: 2023/02/09 +modified: 2024/07/16 tags: - attack.defense_evasion - attack.t1218.011 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -26,11 +27,11 @@ detection: - ', #' - '.dll #' # Sysmon removes , in its log - '.ocx #' # HermeticWizard - filter_edge: + filter_optional_edge: CommandLine|contains|all: - 'EDGEHTML.dll' - '#141' - filter_vsbuild_dll: + filter_optional_vsbuild_dll: ParentImage|contains: - '\Msbuild\Current\Bin\' - '\VC\Tools\MSVC\' @@ -40,8 +41,8 @@ detection: - '\FileTracker32.dll",#1' - '\FileTracker64.dll,#1' - '\FileTracker64.dll",#1' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment - - Windows control panel elements have been identified as source (mmc) -level: high + - False positives depend on scripts and administrative tools used in the monitored environment. + - Windows control panel elements have been identified as source (mmc). +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml similarity index 58% rename from rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index 367be4cef60..bd178338a5f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -1,7 +1,9 @@ -title: Suspicious Execution From GUID Like Folder Names +title: Potential Suspicious Execution From GUID Like Folder Names id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 status: test -description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks +description: | + Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. + Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali (Nextron Systems) @@ -10,6 +12,7 @@ modified: 2023/03/02 tags: - attack.defense_evasion - attack.t1027 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -27,15 +30,19 @@ detection: CommandLine|contains|all: - '\{' - '}\' - filter: + filter_main_image_guid: Image|contains|all: - '\{' - '}\' - filter_null: + filter_main_null: Image: null - filter_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" + filter_main_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" Image: 'C:\Windows\System32\drvinst.exe' + filter_main_msiexec: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' condition: all of selection_* and not 1 of filter* falsepositives: - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly -level: medium +level: low diff --git a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml new file mode 100644 index 00000000000..d5e821568e6 --- /dev/null +++ b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml @@ -0,0 +1,24 @@ +title: Windows LAPS Credential Dump From Entra ID +id: a4b25073-8947-489c-a8dd-93b41c23f26d +status: experimental +description: Detects when an account dumps the LAPS password from Entra ID. +references: + - https://twitter.com/NathanMcNulty/status/1785051227568632263 + - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ + - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +author: andrewdanis +date: 2024/06/26 +tags: + - attack.t1098.005 +logsource: + product: azure + service: auditlogs +detection: + selection: + category: 'Device' + activityType|contains: 'Recover device local administrator password' + additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id' + condition: selection +falsepositives: + - Approved activity performed by an Administrator. +level: high diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml index 1dcb0f180ca..4b0abb91b14 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml @@ -6,16 +6,17 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 +modified: 2024/06/26 tags: - attack.persistence logsource: product: windows service: application - definition: MSSQL audit policy must be enabled in order to receive this event in the application log + definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log' # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 33205 Data|contains|all: - 'object_name:sysadmin' diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index 36ee0eb3cb3..fef5c0328b3 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -8,16 +8,17 @@ references: - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 +modified: 2024/06/26 tags: - attack.defense_evasion logsource: product: windows service: application - definition: MSSQL audit policy must be enabled in order to receive this event in the application log + definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log' # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 33205 Data|contains: - 'statement:ALTER SERVER AUDIT' diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 1ec65dee75d..106195511a4 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -5,11 +5,12 @@ related: type: similar status: experimental description: Detects failed logon attempts from clients to MSSQL server. -author: Nasreddine Bencherchali (Nextron Systems), j4son -date: 2023/10/11 references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +author: Nasreddine Bencherchali (Nextron Systems), j4son +date: 2023/10/11 +modified: 2024/06/26 tags: - attack.credential_access - attack.t1110 @@ -19,7 +20,7 @@ logsource: definition: 'Requirements: Must enable MSSQL authentication.' detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 18456 condition: selection falsepositives: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 966e3e6957c..8ef4e47cfcd 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -5,11 +5,12 @@ related: type: similar status: experimental description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. -author: j4son -date: 2023/10/11 references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +author: j4son +date: 2023/10/11 +modified: 2024/06/26 tags: - attack.credential_access - attack.t1110 @@ -19,7 +20,7 @@ logsource: definition: 'Requirements: Must enable MSSQL authentication.' detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 18456 filter_main_local_ips: Data|contains: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml index 5e9b1a24e49..f00dcd98506 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -7,16 +7,17 @@ references: - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 +modified: 2024/06/26 tags: - attack.persistence logsource: product: windows service: application - definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log + definition: 'Requirements: MSSQL audit policy to monitor for "sp_procoption" must be enabled in order to receive this event in the application log' # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 33205 Data|contains|all: - 'object_name:sp_procoption' diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml index e2e38b97865..377bfa323a1 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml @@ -7,16 +7,17 @@ references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 +modified: 2024/06/26 tags: - attack.execution logsource: product: windows service: application - definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) + definition: 'Requirements: MSSQL audit policy to monitor for "xp_cmdshell" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)' # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 33205 Data|contains|all: # You can modify this to include specific commands diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml index 992802c1c7b..c9f63d11d38 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml @@ -1,12 +1,14 @@ title: MSSQL XPCmdshell Option Change id: d08dd86f-681e-4a00-a92c-1db218754417 status: test -description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed +description: | + Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed. references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 +modified: 2024/06/26 tags: - attack.execution logsource: @@ -15,7 +17,7 @@ logsource: # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: - Provider_Name: 'MSSQLSERVER' + Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876 EventID: 15457 Data|contains: 'xp_cmdshell' condition: selection diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index 4a21916ba0f..df700d51dae 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -4,7 +4,7 @@ status: stable description: Detects the attack technique pass the hash which is used to move laterally inside the network references: - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events - - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis + - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019/06/14 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml b/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml deleted file mode 100644 index a82829ed666..00000000000 --- a/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: KrbRelayUp Attack Pattern -id: 749c9f5e-b353-4b90-a9c1-05243357ca4b -status: test -description: Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like -references: - - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g - - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml -author: '@SBousseaden, Florian Roth' -date: 2022/04/27 -tags: - - attack.privilege_escalation - - attack.credential_access -logsource: - product: windows - service: security -detection: - selection: - EventID: 4624 - LogonType: 3 - AuthenticationPackageName: 'Kerberos' - IpAddress: '127.0.0.1' - TargetUserSid|startswith: 'S-1-5-21-' - TargetUserSid|endswith: '-500' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml new file mode 100644 index 00000000000..b8b3a0b4ba3 --- /dev/null +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -0,0 +1,31 @@ +title: Potential Privilege Escalation via Local Kerberos Relay over LDAP +id: 749c9f5e-b353-4b90-a9c1-05243357ca4b +status: test +description: | + Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. + This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges. +references: + - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g + - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 +author: Elastic, @SBousseaden +date: 2022/04/27 +modified: 2024/07/02 +tags: + - attack.privilege_escalation + - attack.credential_access + - attack.t1548 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + LogonType: 3 + AuthenticationPackageName: 'Kerberos' + IpAddress: '127.0.0.1' + TargetUserSid|startswith: 'S-1-5-21-' + TargetUserSid|endswith: '-500' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index 0e17660f46e..070b17a6f6a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -1,16 +1,16 @@ -title: Windows Defender Threat Detection Disabled - Service +title: Windows Defender Threat Detection Service Disabled id: 6c0a7755-6d31-44fa-80e1-133e57752680 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 type: derived status: stable -description: Detects the "Windows Defender Threat Protection" service has been disabled +description: Detects when the "Windows Defender Threat Protection" service is disabled. references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2023/08/08 +modified: 2024/07/02 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,7 +27,7 @@ detection: - 'Service antivirus Microsoft Defender' # French OS param2: - 'stopped' - - 'arrêté' + - 'arrêté' # French OS condition: selection falsepositives: - Administrator actions diff --git a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml index d8af348f9a4..00d263a9011 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml @@ -1,4 +1,4 @@ -title: CrackMapExec File Indicators +title: HackTool - CrackMapExec File Indicators id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a related: - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 @@ -9,6 +9,7 @@ references: - https://github.com/byt3bl33d3r/CrackMapExec/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024/03/11 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index a709f5aac5c..3102f97e7a2 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -1,4 +1,4 @@ -title: Typical HiveNightmare SAM File Export +title: HackTool - Typical HiveNightmare SAM File Export id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7 status: test description: Detects files written by the different tools that exploit HiveNightmare @@ -9,7 +9,7 @@ references: - https://twitter.com/cube0x0/status/1418920190759378944 author: Florian Roth (Nextron Systems) date: 2021/07/23 -modified: 2022/10/09 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1552.001 diff --git a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml index 42e329dbb4a..d714a210328 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml @@ -1,4 +1,4 @@ -title: Inveigh Execution Artefacts +title: HackTool - Inveigh Execution Artefacts id: bb09dd3e-2b78-4819-8e35-a7c1b874e449 status: test description: Detects the presence and execution of Inveigh via dropped artefacts @@ -8,6 +8,7 @@ references: - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/24 +modified: 2024/06/27 tags: - attack.command_and_control - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml new file mode 100644 index 00000000000..280e069d796 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml @@ -0,0 +1,24 @@ +title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators +id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb +status: experimental +description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. +references: + - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/06/27 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - ':\windows\temp\sam.tmp' + - ':\windows\temp\sec.tmp' + - ':\windows\temp\sys.tmp' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml index cb5a65dcf6d..6fb8c2b1eee 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml @@ -1,4 +1,4 @@ -title: Mimikatz Kirbi File Creation +title: HackTool - Mimikatz Kirbi File Creation id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 related: - id: 034affe8-6170-11ec-844f-0f78aa0c4d66 @@ -10,7 +10,7 @@ references: - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ author: Florian Roth (Nextron Systems), David ANDRE date: 2021/11/08 -modified: 2023/02/16 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1558 diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml index 39e532a2f85..a9c4faf962b 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml @@ -1,4 +1,4 @@ -title: NPPSpy Hacktool Usage +title: HackTool - NPPSpy Hacktool Usage id: cad1fe90-2406-44dc-bd03-59d0b58fe722 status: test description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file @@ -7,7 +7,7 @@ references: - https://twitter.com/0gtweet/status/1465282548494487554 author: Florian Roth (Nextron Systems) date: 2021/11/29 -modified: 2022/12/25 +modified: 2024/06/27 tags: - attack.credential_access logsource: diff --git a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml index b78c507595b..fa8217a5b9f 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml @@ -1,4 +1,4 @@ -title: Powerup Write Hijack DLL +title: HackTool - Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: test description: | @@ -9,7 +9,7 @@ references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: Subhash Popuri (@pbssubhash) date: 2021/08/21 -modified: 2022/10/09 +modified: 2024/06/27 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml index cf3d70e43dd..5d6f60319a8 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml @@ -1,4 +1,4 @@ -title: QuarksPwDump Dump File +title: HackTool - QuarksPwDump Dump File id: 847def9e-924d-4e90-b7c4-5f581395a2b4 status: test description: Detects a dump file written by QuarksPwDump password dumper @@ -6,7 +6,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm author: Florian Roth (Nextron Systems) date: 2018/02/10 -modified: 2021/11/27 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1003.002 diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index b53864c7ef8..43f2f90a07b 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -1,4 +1,4 @@ -title: Potential Remote Credential Dumping Activity +title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a status: test description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. @@ -7,7 +7,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py author: SecurityAura date: 2022/11/16 -modified: 2023/01/05 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1003 diff --git a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml index 4eb173ba037..f6950ba7f9e 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml @@ -1,13 +1,13 @@ -title: SafetyKatz Default Dump Filename +title: HackTool - SafetyKatz Dump Indicator id: e074832a-eada-4fd7-94a1-10642b130e16 status: test -description: Detects default lsass dump filename from SafetyKatz +description: Detects default lsass dump filename generated by SafetyKatz. references: - https://github.com/GhostPack/SafetyKatz - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 author: Markus Neis date: 2018/07/24 -modified: 2021/11/27 +modified: 2024/06/27 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml new file mode 100644 index 00000000000..424e070fc97 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml @@ -0,0 +1,23 @@ +title: PDF File Created By RegEdit.EXE +id: 145095eb-e273-443b-83d0-f9b519b7867b +status: experimental +description: | + Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. + This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. +references: + - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/07/08 +tags: + - attack.defense_evasion +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + TargetFilename|endswith: '.pdf' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml new file mode 100644 index 00000000000..64e054283fc --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml @@ -0,0 +1,31 @@ +title: DPAPI Backup Keys And Certificate Export Activity IOC +id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4 +status: experimental +description: | + Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. +references: + - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ + - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 +author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) +date: 2024/06/26 +tags: + - attack.t1555 + - attack.t1552.004 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - 'ntds_capi_' + - 'ntds_legacy_' + - 'ntds_unknown_' + TargetFilename|endswith: + - '.cer' + - '.key' + - '.pfx' + - '.pvk' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml index dc83002d91d..3ddc1770a47 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By AddinUtil.EXE id: 5205613d-2a63-4412-a895-3a2458b587b3 -status: experimental +status: test description: | Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. @@ -8,6 +8,7 @@ references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023/09/18 +modified: 2024/07/16 tags: - attack.defense_evasion - attack.t1218 @@ -21,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: high diff --git a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml index aeb41e05277..c098c9c5cc0 100644 --- a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml +++ b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml @@ -13,6 +13,7 @@ references: - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024/06/24 +modified: 2024/07/16 tags: - attack.command_and_control - attack.t1102 @@ -134,10 +135,13 @@ detection: filter_main_discord: Image|contains: '\AppData\Local\Discord\' Image|endswith: '\Discord.exe' + filter_main_null: + Image: null + filter_main_empty: + Image: '' # filter_optional_qlik: # Image|endswith: '\Engine.exe' # Process from qlik.com app condition: selection and not 1 of filter_main_* falsepositives: - - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. - - Ninite contacting githubusercontent.com -level: high + - Unknown +level: medium diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index 1dbe3a63405..b4e27a38dbd 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -16,7 +16,7 @@ references: - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022/08/17 -modified: 2024/02/06 +modified: 2024/07/16 tags: - attack.command_and_control - attack.t1102 @@ -228,6 +228,10 @@ detection: DestinationHostname|endswith: - 'discord.com' - 'cdn.discordapp.com' + filter_main_null: + Image: null + filter_main_empty: + Image: '' # filter_optional_qlik: # Image|endswith: '\Engine.exe' # Process from qlik.com app condition: selection and not 1 of filter_main_* diff --git a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml index 91801811ad8..99515f2c68f 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml @@ -19,9 +19,10 @@ detection: DestinationHostname|endswith: - 'api.dropboxapi.com' - 'content.dropboxapi.com' - filter: + filter_main_legit_dropbox: + # Note: It's better to add a specific path to the exact location(s) where dropbox is installed Image|contains: '\Dropbox' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate use of the API with a tool that the author wasn't aware of level: high diff --git a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml index ecaf81e8ed5..2e846b444f3 100644 --- a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml @@ -11,7 +11,7 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/ author: Gavin Knapp date: 2023/05/01 -modified: 2023/11/03 +modified: 2024/07/16 tags: - attack.command_and_control - attack.t1102 @@ -72,9 +72,11 @@ detection: Image|endswith: '\GoogleUpdate.exe' filter_optional_outlook.exe: Image|endswith: '\outlook.exe' - filter_optional_teams: - Image|endswith: '\teams.exe' - condition: selection and not 1 of filter_optional_* + filter_main_null: + Image: null + filter_main_empty: + Image: '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning. level: medium diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml index 06989f375bc..267e3a11f02 100644 --- a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -7,9 +7,10 @@ description: | This rule will require an initial baseline and tuning that is specific to your organization. references: - https://corelight.com/blog/detecting-cve-2021-42292 -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton + - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2021/11/10 -modified: 2024/03/13 +modified: 2024/07/02 tags: - attack.execution - attack.t1203 @@ -20,6 +21,7 @@ detection: selection: Image|endswith: - '\excel.exe' + - '\outlook.exe' - '\powerpnt.exe' - '\winword.exe' - '\wordview.exe' @@ -34,15 +36,245 @@ detection: - '::1/128' # IPv6 loopback - 'fe80::/10' # IPv6 link-local addresses - 'fc00::/7' # IPv6 private addresses - filter_main_msrange: + filter_main_msrange_generic: DestinationIp|cidr: - '20.184.0.0/13' # Microsoft Corporation - '20.192.0.0/10' # Microsoft Corporation - - '23.72.0.0/13' # Akamai International B.V. - - '51.10.0.0/15' # Microsoft Corporation + - '23.72.0.0/13' # Akamai International B.V. + - '40.76.0.0/14' # Microsoft Corporation + - '51.10.0.0/15' # Microsoft Corporation - '51.103.0.0/16' # Microsoft Corporation - '51.104.0.0/15' # Microsoft Corporation + - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22 + - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11 - '204.79.197.0/24' # Microsoft Corporation + filter_main_msrange_exchange_1: + # Exchange Online + # "urls": [ + # "outlook.cloud.microsoft", + # "outlook.office.com", + # "outlook.office365.com" + # ] + DestinationIp|cidr: + - '13.107.6.152/31' + - '13.107.18.10/31' + - '13.107.128.0/22' + - '23.103.160.0/20' + - '40.96.0.0/13' + - '40.104.0.0/15' + - '52.96.0.0/14' + - '131.253.33.215/32' + - '132.245.0.0/16' + - '150.171.32.0/22' + - '204.79.197.215/32' + - '2603:1006::/40' + - '2603:1016::/36' + - '2603:1026::/36' + - '2603:1036::/36' + - '2603:1046::/36' + - '2603:1056::/36' + - '2620:1ec:4::152/128' + - '2620:1ec:4::153/128' + - '2620:1ec:c::10/128' + - '2620:1ec:c::11/128' + - '2620:1ec:d::10/128' + - '2620:1ec:d::11/128' + - '2620:1ec:8f0::/46' + - '2620:1ec:900::/46' + - '2620:1ec:a92::152/128' + - '2620:1ec:a92::153/128' + DestinationPort: + - 80 + - 443 + filter_main_msrange_exchange_2: + # Exchange Online + # "urls": [ + # "outlook.office365.com", + # "smtp.office365.com" + # ] + DestinationIp|cidr: + - '13.107.6.152/31' + - '13.107.18.10/31' + - '13.107.128.0/22' + - '23.103.160.0/20' + - '40.96.0.0/13' + - '40.104.0.0/15' + - '52.96.0.0/14' + - '131.253.33.215/32' + - '132.245.0.0/16' + - '150.171.32.0/22' + - '204.79.197.215/32' + - '2603:1006::/40' + - '2603:1016::/36' + - '2603:1026::/36' + - '2603:1036::/36' + - '2603:1046::/36' + - '2603:1056::/36' + - '2620:1ec:4::152/128' + - '2620:1ec:4::153/128' + - '2620:1ec:c::10/128' + - '2620:1ec:c::11/128' + - '2620:1ec:d::10/128' + - '2620:1ec:d::11/128' + - '2620:1ec:8f0::/46' + - '2620:1ec:900::/46' + - '2620:1ec:a92::152/128' + - '2620:1ec:a92::153/128' + DestinationPort: + - 143 + - 587 + - 993 + - 995 + Protocol: 'tcp' + filter_main_msrange_exchange_3: + # Exchange Online + # "urls": [ + # "*.protection.outlook.com" + # ] + DestinationIp|cidr: + - '40.92.0.0/15' + - '40.107.0.0/16' + - '52.100.0.0/14' + - '52.238.78.88/32' + - '104.47.0.0/17' + - '2a01:111:f400::/48' + - '2a01:111:f403::/48' + DestinationPort: 443 + filter_main_msrange_exchange_4: + # Exchange Online + # "urls": [ + # "*.mail.protection.outlook.com", + # "*.mx.microsoft" + # ] + DestinationIp|cidr: + - '40.92.0.0/15' + - '40.107.0.0/16' + - '52.100.0.0/14' + - '52.238.78.88/32' + - '104.47.0.0/17' + - '2a01:111:f400::/48' + - '2a01:111:f403::/48' + DestinationPort: 25 + filter_main_msrange_sharepoint_1: + # SharePoint Online and OneDrive for Business", + # "urls": [ + # "*.sharepoint.com" + # ] + DestinationIp|cidr: + - '13.107.136.0/22' + - '40.108.128.0/17' + - '52.104.0.0/14' + - '104.146.128.0/17' + - '150.171.40.0/22' + - '2603:1061:1300::/40' + - '2620:1ec:8f8::/46' + - '2620:1ec:908::/46' + - '2a01:111:f402::/48' + DestinationPort: + - 80 + - 443 + Protocol: 'tcp' + filter_main_msrange_office_1: + # Microsoft 365 Common and Office Online", + # "urls": [ + # "*.officeapps.live.com", + # "*.online.office.com", + # "office.live.com" + # ], + DestinationIp|cidr: + - '13.107.6.171/32' + - '13.107.18.15/32' + - '13.107.140.6/32' + - '52.108.0.0/14' + - '52.244.37.168/32' + - '2603:1006:1400::/40' + - '2603:1016:2400::/40' + - '2603:1026:2400::/40' + - '2603:1036:2400::/40' + - '2603:1046:1400::/40' + - '2603:1056:1400::/40' + - '2603:1063:2000::/38' + - '2620:1ec:c::15/128' + - '2620:1ec:8fc::6/128' + - '2620:1ec:a92::171/128' + - '2a01:111:f100:2000::a83e:3019/128' + - '2a01:111:f100:2002::8975:2d79/128' + - '2a01:111:f100:2002::8975:2da8/128' + - '2a01:111:f100:7000::6fdd:6cd5/128' + - '2a01:111:f100:a004::bfeb:88cf/128' + DestinationPort: + - 80 + - 443 + Protocol: 'tcp' + filter_main_msrange_office_2: + # Microsoft 365 Common and Office Online + # "urls": [ + # "*.auth.microsoft.com", + # "*.msftidentity.com", + # "*.msidentity.com", + # "account.activedirectory.windowsazure.com", + # "accounts.accesscontrol.windows.net", + # "adminwebservice.microsoftonline.com", + # "api.passwordreset.microsoftonline.com", + # "autologon.microsoftazuread-sso.com", + # "becws.microsoftonline.com", + # "ccs.login.microsoftonline.com", + # "clientconfig.microsoftonline-p.net", + # "companymanager.microsoftonline.com", + # "device.login.microsoftonline.com", + # "graph.microsoft.com", + # "graph.windows.net", + # "login-us.microsoftonline.com", + # "login.microsoft.com", + # "login.microsoftonline-p.com", + # "login.microsoftonline.com", + # "login.windows.net", + # "logincert.microsoftonline.com", + # "loginex.microsoftonline.com", + # "nexus.microsoftonline-p.com", + # "passwordreset.microsoftonline.com", + # "provisioningapi.microsoftonline.com" + # ] + DestinationIp|cidr: + - '20.20.32.0/19' + - '20.190.128.0/18' + - '20.231.128.0/19' + - '40.126.0.0/18' + - '2603:1006:2000::/48' + - '2603:1007:200::/48' + - '2603:1016:1400::/48' + - '2603:1017::/48' + - '2603:1026:3000::/48' + - '2603:1027:1::/48' + - '2603:1036:3000::/48' + - '2603:1037:1::/48' + - '2603:1046:2000::/48' + - '2603:1047:1::/48' + - '2603:1056:2000::/48' + - '2603:1057:2::/48' + DestinationPort: + - 80 + - 443 + Protocol: 'tcp' + filter_main_msrange_office_3: + # Microsoft 365 Common and Office Online + # "urls": [ + # "*.compliance.microsoft.com", + # "*.protection.office.com", + # "*.security.microsoft.com", + # "compliance.microsoft.com", + # "defender.microsoft.com", + # "protection.office.com", + # "security.microsoft.com" + # ] + DestinationIp|cidr: + - '13.107.6.192/32' + - '13.107.9.192/32' + - '52.108.0.0/14' + - '2620:1ec:4::192/128' + - '2620:1ec:a92::192/128' + DestinationPort: 443 + Protocol: 'tcp' condition: selection and not 1 of filter_main_* falsepositives: - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index be5deb3f0ab..f4857d9c41e 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -4,9 +4,9 @@ status: experimental description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit -author: X__Junior (Nextron Systems) +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/07/12 -modified: 2024/01/31 +modified: 2024/07/02 tags: - attack.defense_evasion - attack.command_and_control @@ -33,6 +33,7 @@ detection: Image|contains: ':\Program Files\Microsoft Office\' Image|endswith: '\OUTLOOK.EXE' DestinationPort: + - 143 - 465 # SMTP - 587 # SMTP - 993 # IMAP diff --git a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml new file mode 100644 index 00000000000..79c8344b7a8 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml @@ -0,0 +1,90 @@ +title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock +id: 846c7a87-8e14-4569-9d49-ecfd4276a01c +related: + - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e + type: similar +status: experimental +description: | + Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. + The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +references: + - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/06/26 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains: + - 'Add-ADDBSidHistory' + - 'Add-ADNgcKey' + - 'Add-ADReplNgcKey' + - 'ConvertFrom-ADManagedPasswordBlob' + - 'ConvertFrom-GPPrefPassword' + - 'ConvertFrom-ManagedPasswordBlob' + - 'ConvertFrom-UnattendXmlPassword' + - 'ConvertFrom-UnicodePassword' + - 'ConvertTo-AADHash' + - 'ConvertTo-GPPrefPassword' + - 'ConvertTo-KerberosKey' + - 'ConvertTo-LMHash' + - 'ConvertTo-MsoPasswordHash' + - 'ConvertTo-NTHash' + - 'ConvertTo-OrgIdHash' + - 'ConvertTo-UnicodePassword' + - 'Disable-ADDBAccount' + - 'Enable-ADDBAccount' + - 'Get-ADDBAccount' + - 'Get-ADDBBackupKey' + - 'Get-ADDBDomainController' + - 'Get-ADDBGroupManagedServiceAccount' + - 'Get-ADDBKdsRootKey' + - 'Get-ADDBSchemaAttribute' + - 'Get-ADDBServiceAccount' + - 'Get-ADDefaultPasswordPolicy' + - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink' + - 'Get-ADPasswordPolicy' + - 'Get-ADReplAccount' + - 'Get-ADReplBackupKey' + - 'Get-ADReplicationAccount' + - 'Get-ADSIAccount' + - 'Get-AzureADUserEx' + - 'Get-BootKey' + - 'Get-KeyCredential' + - 'Get-LsaBackupKey' + - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation' + - 'Get-SamPasswordPolicy' + - 'Get-SysKey' + - 'Get-SystemKey' + - 'New-ADDBRestoreFromMediaScript' + - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink' + - 'New-ADNgcKey' + - 'New-NTHashSet' + - 'Remove-ADDBObject' + - 'Save-DPAPIBlob' + - 'Set-ADAccountPasswordHash' + - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash' + - 'Set-ADDBBootKey' + - 'Set-ADDBDomainController' + - 'Set-ADDBPrimaryGroup' + - 'Set-ADDBSysKey' + - 'Set-AzureADUserEx' + - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation' + - 'Set-SamAccountPasswordHash' + - 'Set-WinUserPasswordHash' + - 'Test-ADDBPasswordQuality' + - 'Test-ADPasswordQuality' + - 'Test-ADReplPasswordQuality' + - 'Test-PasswordQuality' + - 'Unlock-ADDBAccount' + - 'Write-ADNgcKey' + - 'Write-ADReplNgcKey' + condition: selection +falsepositives: + - Legitimate usage of DSInternals for administration or audit purpose. +level: high diff --git a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml deleted file mode 100644 index d0416d6cb7c..00000000000 --- a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml +++ /dev/null @@ -1,69 +0,0 @@ -title: Potential Shellcode Injection -id: 250ae82f-736e-4844-a68b-0b5e8cc887da -status: test -description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject -references: - - https://github.com/EmpireProject/PSInject -author: Bhabesh Raj -date: 2022/03/11 -modified: 2023/11/29 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 -logsource: - category: process_access - product: windows -detection: - selection: - GrantedAccess: - - '0x147a' - - '0x1f3fff' - CallTrace|contains: 'UNKNOWN' - filter_optional_dell_folders: - # If dell software is installed we get matches like these - # Example 1: - # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe - # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe - # GrantedAccess: 0x1F3FFF - # Example 2: - # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe - # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe - # GrantedAccess: 0x1F3FFF - # Example 3: - # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe - # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe - # GrantedAccess: 0x1F3FFF - SourceImage|contains: - - ':\Program Files\Dell\' - - ':\Program Files (x86)\Dell\' - TargetImage|contains: - - ':\Program Files\Dell\' - - ':\Program Files (x86)\Dell\' - GrantedAccess: '0x1F3FFF' - CallTrace|startswith: '?:\Windows\System32\ntdll.dll' - filter_optional_dell_specifc: - SourceImage|endswith: ':\Program Files (x86)\Dell\UpdateService\ServiceShell.exe' - TargetImage|endswith: ':\Windows\Explorer.EXE' - GrantedAccess: '0x1F3FFF' - CallTrace|startswith: '?:\Windows\System32\ntdll.dll' - filter_optional_visual_studio: - SourceImage|endswith: - - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe' - - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe' - TargetImage|endswith: - - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe' - - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe' - CallTrace|startswith: '?:\Windows\System32\ntdll.dll' - filter_optional_ddvdatacollector: - SourceImage|contains: ':\Program Files\Microsoft Visual Studio\' - SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' - TargetImage|endswith: ':\Program Files\Dell\DellDataVault\DDVDataCollector.exe' - filter_optional_wmiprvese: - SourceImage|endswith: ':\Windows\System32\Wbem\Wmiprvse.exe' - TargetImage|endswith: ':\Windows\system32\lsass.exe' - CallTrace|startswith: '?:\Windows\SYSTEM32\ntdll.dll' - condition: selection and not 1 of filter_optional_* -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 3285947e8e9..a7608c4c4e8 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,7 +1,9 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 status: experimental -description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions +description: | + Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. + This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 1d30a9c23be..39b6bfabb67 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -5,14 +5,15 @@ related: type: derived status: experimental description: | - Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. + Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. + Attackers often time use this technique to extract specific information they require in their reconnaissance phase. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/11/11 +modified: 2024/06/27 tags: - attack.discovery - attack.t1057 @@ -23,46 +24,14 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage - - 'ipconfig /all | find ' - - 'ipconfig /all | findstr ' - - 'ipconfig | find ' - - 'ipconfig | findstr ' - - 'ipconfig.exe /all | find ' - - 'ipconfig.exe /all | findstr ' - - 'ipconfig.exe | find ' - - 'ipconfig.exe | findstr ' - - 'net start | find' - - 'net start | findstr' - - 'net.exe start | find' - - 'net.exe start | findstr' - - 'net1 start | find' - - 'net1 start | findstr' - - 'net1.exe start | find' - - 'net1.exe start | findstr' - - 'netstat -ano | find' - - 'netstat -ano | findstr' - - 'netstat | find' - - 'netstat | findstr' - - 'netstat.exe -ano | find' - - 'netstat.exe -ano | findstr' - - 'netstat.exe | find' - - 'netstat.exe | findstr' - - 'ping | find' - - 'ping | findstr' - - 'ping.exe | find' - - 'ping.exe | findstr' - - 'systeminfo | find ' - - 'systeminfo | findstr ' - - 'systeminfo.exe | find ' - - 'systeminfo.exe | findstr ' - - 'tasklist | find ' - - 'tasklist | findstr ' - - 'tasklist.exe | find ' - - 'tasklist.exe | findstr ' - - 'whoami /all | find ' - - 'whoami /all | findstr ' - - 'whoami.exe /all | find ' - - 'whoami.exe /all | findstr ' + # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend. + - 'ipconfig*|*find' + - 'net*|*find' + - 'netstat*|*find' + - 'ping*|*find' + - 'systeminfo*|*find' + - 'tasklist*|*find' + - 'whoami*|*find' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_finger_usage.yml b/rules/windows/process_creation/proc_creation_win_finger_execution.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_finger_usage.yml rename to rules/windows/process_creation/proc_creation_win_finger_execution.yml index 8cd3acc685c..0643d3b328f 100644 --- a/rules/windows/process_creation/proc_creation_win_finger_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_finger_execution.yml @@ -1,14 +1,17 @@ -title: Finger.exe Suspicious Invocation +title: Finger.EXE Execution id: af491bca-e752-4b44-9c86-df5680533dbc status: test -description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays +description: | + Detects execution of the "finger.exe" utility. + Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. + Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. references: - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt author: Florian Roth (Nextron Systems), omkar72, oscd.community date: 2021/02/24 -modified: 2022/08/16 +modified: 2024/06/27 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml new file mode 100644 index 00000000000..78235d26c86 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml @@ -0,0 +1,59 @@ +title: HackTool - RemoteKrbRelay Execution +id: a7664b14-75fb-4a50-a223-cb9bc0afbacf +status: experimental +description: | + Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. +references: + - https://github.com/CICADA8-Research/RemoteKrbRelay +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/06/27 +tags: + - attack.credential_access + - attack.t1558.003 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\RemoteKrbRelay.exe' + - OriginalFileName: 'RemoteKrbRelay.exe' + selection_cli_required: + CommandLine|contains|all: + - ' -clsid ' + - ' -target ' + - ' -victim ' + # selection_cli_attacks: + # # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required" + # CommandLine|contains: + # - '-adcs ' # relay to HTTP Web Enrollment and get certificate + # - '-laps ' # relay to LDAP and extract LAPS passwords + # - '-ldapwhoami ' # relay to LDAP and get info about relayed user + # - '-shadowcred ' # relay to LDAP and setup Shadow Credentials + selection_cli_attack_smb: + CommandLine|contains|all: + - '-smb ' # relay to SMB + - '--smbkeyword ' + CommandLine|contains: + - 'interactive' + - 'secrets' + - 'service-add' + selection_cli_attack_rbcd_main: + CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD + selection_cli_attack_rbcd_options: + CommandLine|contains: + - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity + - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity + selection_cli_attack_changepass: + CommandLine|contains: '-chp ' # relay to LDAP and change user password + CommandLine|contains|all: + - '-chpPass ' # new password + - '-chpUser ' # the name of the user whose password you want to change + selection_cli_attack_addgrpname: + CommandLine|contains|all: + - '-addgroupmember ' # relay to LDAP and add user to group + - '-group ' + - '-groupuser ' + condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml new file mode 100644 index 00000000000..99234e780d5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml @@ -0,0 +1,50 @@ +title: HackTool - SharpDPAPI Execution +id: c7d33b50-f690-4b51-8cfb-0fb912a31e57 +status: experimental +description: | + Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. + SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. +references: + - https://github.com/GhostPack/SharpDPAPI +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/06/26 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1134.001 + - attack.t1134.003 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\SharpDPAPI.exe' + - OriginalFileName: 'SharpDPAPI.exe' + selection_other_cli: + CommandLine|contains: + - ' backupkey ' + - ' blob ' + - ' certificates ' + - ' credentials ' + - ' keepass ' + - ' masterkeys ' + - ' rdg ' + - ' vaults ' + selection_other_options_guid: + CommandLine|contains|all: + - ' {' + - '}:' + selection_other_options_flags: + CommandLine|contains: + - ' /file:' + - ' /machine' + - ' /mkfile:' + - ' /password:' + - ' /pvk:' + - ' /server:' + - ' /target:' + - ' /unprotect' + condition: selection_img or (selection_other_cli and 1 of selection_other_options_*) +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml new file mode 100644 index 00000000000..27838ebb19b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml @@ -0,0 +1,36 @@ +title: Uncommon Link.EXE Parent Process +id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6 +status: test +description: | + Detects an uncommon parent process of "LINK.EXE". + Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. + Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. + This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. + By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. +references: + - https://twitter.com/0gtweet/status/1560732860935729152 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/22 +modified: 2024/06/27 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\link.exe' + CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc + # Add other filters for other legitimate locations + filter_main_visual_studio: + ParentImage|startswith: + - 'C:\Program Files\Microsoft Visual Studio\' + - 'C:\Program Files (x86)\Microsoft Visual Studio\' + ParentImage|contains: + - '\VC\bin\' + - '\VC\Tools\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml deleted file mode 100644 index b9461288e90..00000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Use of Setres.exe -id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 -status: test -description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path -references: - - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - - https://twitter.com/0gtweet/status/1583356502340870144 - - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html - - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) -author: '@gott_cyber' -date: 2022/12/11 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1202 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\setres.exe' - Image|endswith: '\choice' - condition: selection -falsepositives: - - Legitimate usage of Setres -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml deleted file mode 100644 index 6f6acdefd3b..00000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Sideloading Link.EXE -id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6 -status: test -description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name -references: - - https://twitter.com/0gtweet/status/1560732860935729152 -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\link.exe' - CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc - # Add other filters for other legitimate locations - filter_visual_studio: - ParentImage|startswith: - - 'C:\Program Files\Microsoft Visual Studio\' - - 'C:\Program Files (x86)\Microsoft Visual Studio\' - ParentImage|contains: '\VC\Tools\MSVC\' - condition: selection and not 1 of filter_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml new file mode 100644 index 00000000000..8185eb5a4cd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml @@ -0,0 +1,89 @@ +title: DSInternals Suspicious PowerShell Cmdlets +id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e +related: + - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c + type: similar +status: experimental +description: | + Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. + The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +references: + - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri +date: 2024/06/26 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - 'Add-ADDBSidHistory' + - 'Add-ADNgcKey' + - 'Add-ADReplNgcKey' + - 'ConvertFrom-ADManagedPasswordBlob' + - 'ConvertFrom-GPPrefPassword' + - 'ConvertFrom-ManagedPasswordBlob' + - 'ConvertFrom-UnattendXmlPassword' + - 'ConvertFrom-UnicodePassword' + - 'ConvertTo-AADHash' + - 'ConvertTo-GPPrefPassword' + - 'ConvertTo-KerberosKey' + - 'ConvertTo-LMHash' + - 'ConvertTo-MsoPasswordHash' + - 'ConvertTo-NTHash' + - 'ConvertTo-OrgIdHash' + - 'ConvertTo-UnicodePassword' + - 'Disable-ADDBAccount' + - 'Enable-ADDBAccount' + - 'Get-ADDBAccount' + - 'Get-ADDBBackupKey' + - 'Get-ADDBDomainController' + - 'Get-ADDBGroupManagedServiceAccount' + - 'Get-ADDBKdsRootKey' + - 'Get-ADDBSchemaAttribute' + - 'Get-ADDBServiceAccount' + - 'Get-ADDefaultPasswordPolicy' + - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink' + - 'Get-ADPasswordPolicy' + - 'Get-ADReplAccount' + - 'Get-ADReplBackupKey' + - 'Get-ADReplicationAccount' + - 'Get-ADSIAccount' + - 'Get-AzureADUserEx' + - 'Get-BootKey' + - 'Get-KeyCredential' + - 'Get-LsaBackupKey' + - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation' + - 'Get-SamPasswordPolicy' + - 'Get-SysKey' + - 'Get-SystemKey' + - 'New-ADDBRestoreFromMediaScript' + - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink' + - 'New-ADNgcKey' + - 'New-NTHashSet' + - 'Remove-ADDBObject' + - 'Save-DPAPIBlob' + - 'Set-ADAccountPasswordHash' + - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash' + - 'Set-ADDBBootKey' + - 'Set-ADDBDomainController' + - 'Set-ADDBPrimaryGroup' + - 'Set-ADDBSysKey' + - 'Set-AzureADUserEx' + - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation' + - 'Set-SamAccountPasswordHash' + - 'Set-WinUserPasswordHash' + - 'Test-ADDBPasswordQuality' + - 'Test-ADPasswordQuality' + - 'Test-ADReplPasswordQuality' + - 'Test-PasswordQuality' + - 'Unlock-ADDBAccount' + - 'Write-ADNgcKey' + - 'Write-ADReplNgcKey' + condition: selection +falsepositives: + - Legitimate usage of DSInternals for administration or audit purpose. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml new file mode 100644 index 00000000000..79af7acae31 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml @@ -0,0 +1,26 @@ +title: Renamed Microsoft Teams Execution +id: 88f46b67-14d4-4f45-ac2c-d66984f22191 +status: experimental +description: Detects the execution of a renamed Microsoft Teams binary. +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/07/12 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'msteams.exe' + - 'teams.exe' + filter_main_legit_names: + Image|endswith: + - '\msteams.exe' + - '\teams.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index 002cb461cf6..cf713c718fc 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -26,7 +26,7 @@ detection: - OriginalFileName: 'sdbinst.exe' filter_main_legit_ext: CommandLine|contains: '.sdb' - filter_main_svchost: + filter_main_legit_extensions: # ParentImage|endswith: ':\Windows\System32\svchost.exe' - CommandLine|endswith: - ' -c' diff --git a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml new file mode 100644 index 00000000000..c4fbfac5f27 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml @@ -0,0 +1,34 @@ +title: Uncommon Child Process Of Setres.EXE +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: test +description: | + Detects uncommon child process of Setres.EXE. + Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. + It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)' +date: 2022/12/11 +modified: 2024/06/26 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\setres.exe' + Image|contains: '\choice' + filter_main_legit_location: + Image|endswith: + - 'C:\Windows\System32\choice.exe' + - 'C:\Windows\SysWOW64\choice.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 6d5b7f6bf56..63d8d6ab173 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -16,7 +16,7 @@ references: - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/21 -modified: 2023/09/05 +modified: 2024/07/12 tags: - attack.execution logsource: @@ -27,7 +27,6 @@ detection: ParentImage|endswith: # Add more electron based app to the list - '\chrome.exe' # Might require additional tuning - # - '\code.exe' # Requires additional baseline - '\discord.exe' - '\GitHubDesktop.exe' - '\keybase.exe' @@ -35,7 +34,8 @@ detection: - '\msedgewebview2.exe' - '\msteams.exe' - '\slack.exe' - - '\Teams.exe' + - '\teams.exe' + # - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline selection_child_image: Image|endswith: # Add more suspicious/unexpected paths @@ -45,59 +45,22 @@ detection: - '\powershell.exe' - '\pwsh.exe' - '\regsvr32.exe' + - '\whoami.exe' - '\wscript.exe' selection_child_paths: Image|contains: # Add more suspicious/unexpected paths + - ':\ProgramData\' + - ':\Temp\' - '\AppData\Local\Temp\' - '\Users\Public\' - '\Windows\Temp\' - - ':\Temp\' - filter_main_chrome: - ParentImage|endswith: '\chrome.exe' - Image|endswith: '\chrome.exe' - # filter_main_code_1: - # ParentImage|endswith: '\code.exe' - # Image|endswith: '\code.exe' - # filter_main_code_2: - # # Note: As code allows many other programs its best to baseline this - # ParentImage|endswith: '\code.exe' - # Image|endswith: - # - '\cmd.exe' - # - '\powershell.exe' - filter_main_discord: - ParentImage|endswith: '\discord.exe' - Image|endswith: '\discord.exe' - filter_main_githubdesktop: - ParentImage|endswith: '\GitHubDesktop.exe' - Image|endswith: '\GitHubDesktop.exe' - filter_main_keybase: - ParentImage|endswith: '\keybase.exe' - Image|endswith: '\keybase.exe' - filter_main_msedge: - ParentImage|endswith: '\msedge.exe' - Image|endswith: '\msedge.exe' - filter_main_msedgewebview: - ParentImage|endswith: '\msedgewebview2.exe' - Image|endswith: '\msedgewebview2.exe' - filter_main_msteams: - ParentImage|endswith: '\msteams.exe' - Image|endswith: '\msteams.exe' - filter_main_slack: - ParentImage|endswith: '\slack.exe' - Image|endswith: '\slack.exe' - filter_main_teams: - ParentImage|endswith: '\teams.exe' - Image|endswith: '\teams.exe' - filter_main_werfault: - Image: - - 'C:\Windows\SysWOW64\WerFault.exe' - - 'C:\Windows\System32\WerFault.exe' filter_optional_discord: ParentImage|endswith: '\Discord.exe' + Image|endswith: '\cmd.exe' CommandLine|contains: '\NVSMI\nvidia-smi.exe' - condition: selection_parent and 1 of selection_child_* and not 1 of filter_main_* and not 1 of filter_optional_* + condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_* falsepositives: - - Legitimate child processes can occur in cases of debugging -# Increase the level once FP rate is known better (see status) + - Unknown +# Increase the level once FP rate is reduced (see status) level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index 906bffd2ff8..ff860de061d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -1,7 +1,9 @@ -title: ETW Logging Tamper In .NET Processes +title: ETW Logging Tamper In .NET Processes Via CommandLine id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: | + Detects changes to environment variables related to ETW logging via the CommandLine. + This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index ef9f41237f0..3cd5ededa1a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -1,7 +1,8 @@ -title: Disable of ETW Trace +title: ETW Trace Evasion Activity id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 status: test -description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. +description: | + Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt @@ -47,7 +48,7 @@ detection: CommandLine|contains|all: - 'Set-EtwTraceProvider' - '0x11' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 4ae532e925f..3ca670aae69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -1,7 +1,9 @@ -title: Suspicious Eventlog Clear or Configuration Change +title: Suspicious Eventlog Clearing or Configuration Change Activity id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 status: stable -description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). +description: | + Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". + This technique were seen used by threat actors and ransomware strains in order to evade defenses. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index 2f5d69fbd88..abeef5c72ce 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -19,7 +19,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2022/09/09 -modified: 2024/01/02 +modified: 2024/07/12 tags: - attack.credential_access - attack.discovery @@ -51,9 +51,14 @@ detection: selection_logs_name: CommandLine|contains: # Note: Add more event log channels that are interesting for attackers - - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + - 'Microsoft-Windows-PowerShell' + - 'Microsoft-Windows-Security-Auditing' + - 'Microsoft-Windows-TerminalServices-LocalSessionManager' + - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager' + - 'Microsoft-Windows-Windows Defender' + - 'PowerShellCore' - 'Security' + - 'Windows PowerShell' selection_logs_eid: CommandLine|contains: # Note: We use the "?" to account for both a single and a double quote diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 2769972cb99..9775ea65ddd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -1,12 +1,13 @@ -title: Parent in Public Folder Suspicious Process +title: Potentially Suspicious Execution From Parent Process In Public Folder id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a status: test -description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder +description: | + Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. references: - https://redcanary.com/blog/blackbyte-ransomware/ -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/02/25 -modified: 2022/11/18 +modified: 2024/07/12 tags: - attack.defense_evasion - attack.execution @@ -16,26 +17,30 @@ logsource: category: process_creation product: windows detection: - selection: - ParentImage|startswith: 'C:\Users\Public\' - CommandLine|contains: - - 'powershell' - - 'cmd.exe /c ' - - 'cmd.exe /r ' - - 'cmd.exe /k ' - - 'cmd /c ' - - 'cmd /r ' - - 'cmd /k ' - - 'wscript.exe' - - 'cscript.exe' - - 'bitsadmin' - - 'certutil' - - 'mshta.exe' - condition: selection -fields: - - ComputerName - - User - - CommandLine + selection_parent: + ParentImage|contains: ':\Users\Public\' + selection_child: + - Image|endswith: + - '\bitsadmin.exe' + - '\certutil.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - CommandLine|contains: + - 'bitsadmin' + - 'certutil' + - 'cscript' + - 'mshta' + - 'powershell' + - 'regsvr32' + - 'rundll32' + - 'wscript' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index b76a30ae3ed..1edbf5b7969 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -1,7 +1,7 @@ -title: Execution from Suspicious Folder +title: Process Execution From A Potentially Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 status: test -description: Detects a suspicious execution from an uncommon folder +description: Detects a potentially suspicious execution from an uncommon folder. references: - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses @@ -9,7 +9,7 @@ references: - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md author: Florian Roth (Nextron Systems), Tim Shelton date: 2019/01/16 -modified: 2023/01/10 +modified: 2024/07/12 tags: - attack.defense_evasion - attack.t1036 @@ -18,35 +18,31 @@ logsource: product: windows detection: selection: - - Image|contains: - - '\$Recycle.bin\' - - '\config\systemprofile\' - - '\Intel\Logs\' - - '\RSA\MachineKeys\' - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\NetworkService\' - - '\Users\Public\' - - '\Windows\addins\' - - '\Windows\debug\' - - '\Windows\Fonts\' - - '\Windows\Help\' - - '\Windows\IME\' - - '\Windows\Media\' - - '\Windows\repair\' - - '\Windows\security\' - - '\Windows\System32\Tasks\' - - '\Windows\Tasks\' - - Image|startswith: 'C:\Perflogs\' - filter_ibm: + Image|contains: + - ':\Perflogs\' + - ':\Users\All Users\' + - ':\Users\Default\' + - ':\Users\NetworkService\' + - ':\Windows\addins\' + - ':\Windows\debug\' + - ':\Windows\Fonts\' + - ':\Windows\Help\' + - ':\Windows\IME\' + - ':\Windows\Media\' + - ':\Windows\repair\' + - ':\Windows\security\' + - ':\Windows\System32\Tasks\' + - ':\Windows\Tasks\' + - '$Recycle.bin' + - '\config\systemprofile\' + - '\Intel\Logs\' + - '\RSA\MachineKeys\' + filter_optional_ibm: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' - filter_citrix: + filter_optional_citrix: Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\' Image|endswith: '\CitrixReceiverUpdater.exe' - condition: selection and not 1 of filter_* -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 214c2a20c5e..9e46bb09f4d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -25,5 +25,5 @@ detection: - 'RECYCLER.BIN\' condition: selection falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 5af203cdbfa..1d50dec0015 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -1,13 +1,14 @@ title: System File Execution Location Anomaly id: e4a6b256-3e47-40fc-89d2-7a477edd6915 status: experimental -description: Detects a Windows program executable started from a suspicious folder +description: | + Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ -author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2017/11/27 -modified: 2023/10/18 +modified: 2024/07/16 tags: - attack.defense_evasion - attack.t1036 @@ -17,76 +18,75 @@ logsource: detection: selection: Image|endswith: - - '\svchost.exe' - - '\rundll32.exe' - - '\services.exe' - - '\powershell.exe' - - '\powershell_ise.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\spoolsv.exe' - - '\lsass.exe' - - '\smss.exe' - - '\csrss.exe' - - '\conhost.exe' - - '\wininit.exe' - - '\lsm.exe' - - '\winlogon.exe' - - '\explorer.exe' - - '\taskhost.exe' - - '\Taskmgr.exe' - - '\sihost.exe' - - '\RuntimeBroker.exe' - - '\smartscreen.exe' - - '\dllhost.exe' - - '\audiodg.exe' - - '\wlanext.exe' - - '\dashost.exe' - - '\schtasks.exe' - - '\cscript.exe' - - '\wscript.exe' - - '\wsl.exe' - - '\bitsadmin.exe' - '\atbroker.exe' + - '\audiodg.exe' - '\bcdedit.exe' - - '\certutil.exe' + - '\bitsadmin.exe' - '\certreq.exe' + - '\certutil.exe' - '\cmstp.exe' + - '\conhost.exe' - '\consent.exe' + - '\cscript.exe' + - '\csrss.exe' + - '\dashost.exe' - '\defrag.exe' + - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/ - '\dism.exe' + - '\dllhost.exe' - '\dllhst3g.exe' + - '\dwm.exe' - '\eventvwr.exe' - - '\msiexec.exe' - - '\runonce.exe' - - '\winver.exe' - '\logonui.exe' - - '\userinit.exe' - - '\dwm.exe' - '\LsaIso.exe' + - '\lsass.exe' + - '\lsm.exe' + - '\msiexec.exe' - '\ntoskrnl.exe' - # The below processes were seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/ - - '\wsmprovhost.exe' - - '\dfrgui.exe' - filter_generic: - - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - # - 'C:\avast! sandbox' - - Image|contains: '\SystemRoot\System32\' - - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Program Files\PowerShell\7\pwsh.exe' - - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' - filter_wsl_windowsapps: + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\runonce.exe' + - '\RuntimeBroker.exe' + - '\schtasks.exe' + - '\services.exe' + - '\sihost.exe' + - '\smartscreen.exe' + - '\smss.exe' + - '\spoolsv.exe' + - '\svchost.exe' + - '\taskhost.exe' + - '\Taskmgr.exe' + - '\userinit.exe' + - '\wininit.exe' + - '\winlogon.exe' + - '\winver.exe' + - '\wlanext.exe' + - '\wscript.exe' + - '\wsl.exe' + - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/ + filter_main_generic: + Image|startswith: + - 'C:\$WINDOWS.~BT\' + - 'C:\$WinREAgent\' + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SystemTemp\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\uus\' + - 'C:\Windows\WinSxS\' + filter_optional_system32: + Image|contains: '\SystemRoot\System32\' + filter_main_powershell: + Image: + - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' + filter_main_wsl_windowsapps: Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' Image|endswith: '\wsl.exe' - condition: selection and not 1 of filter_* -fields: - - ComputerName - - User - - Image + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Exotic software + - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 3f4a02e52f6..0b09702b07f 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,13 +1,14 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a status: experimental -description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel +description: | + Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati date: 2023/03/14 -modified: 2024/01/10 +modified: 2024/07/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,7 +17,6 @@ logsource: product: windows detection: selection: - EventType: SetValue TargetObject|endswith: - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity' - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity' diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml new file mode 100644 index 00000000000..a379a4e1cee --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml @@ -0,0 +1,24 @@ +title: Hypervisor Enforced Paging Translation Disabled +id: 7f2954d2-99c2-4d42-a065-ca36740f187b +status: experimental +description: | + Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. +references: + - https://twitter.com/standa_t/status/1808868985678803222 + - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/07/05 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml new file mode 100644 index 00000000000..190e3e1d967 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml @@ -0,0 +1,24 @@ +title: Periodic Backup For System Registry Hives Enabled +id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f +status: experimental +description: | + Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. + Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". +references: + - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/07/01 +tags: + - attack.collection + - attack.t1113 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Legitimate need for RegBack feature by administrators. +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml new file mode 100644 index 00000000000..e38b095a58e --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -0,0 +1,45 @@ +title: COM Object Hijacking Via Modification Of Default System CLSID Default Value +id: 790317c0-0a36-4a6a-a105-6e576bf99a14 +status: experimental +description: Detects potential COM object hijacking via modification of default system CLSID. +references: + - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/07/16 +tags: + - attack.persistence + - attack.t1546.015 +logsource: + category: registry_set + product: windows +detection: + selection_target: + TargetObject|contains: '\CLSID\' + TargetObject|endswith: + - '\InprocServer32\(Default)' + - '\LocalServer32\(Default)' + selection_builtin_clsid: + TargetObject|contains: + # Note: Add other legitimate CLSID + - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' + - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\' + - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\' + - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\' + - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' + selection_locations: + Details|contains: + # Note: Add more suspicious paths and locations + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Microsoft\Windows\Start Menu\Programs\Startup\' + - '\System32\spool\drivers\color\' # as seen in the knotweed blog + - '\Users\Public\' + - '\Windows\Temp\' + - '%appdata%' + - '%temp%' + - '%tmp%' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 15ec0331651..d4efbf7c6af 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2024/03/18 +modified: 2024/07/16 tags: - attack.persistence - attack.t1547.001 @@ -34,9 +34,13 @@ detection: - 'wscript' - 'cscript' filter_main_windows_update: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\' Image|startswith: 'C:\Windows\SoftwareDistribution\Download\' Details|contains|all: - - 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32' + - 'rundll32.exe ' + - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32' + Details|contains: + - '\AppData\Local\Temp\' - 'C:\Windows\Temp\' condition: all of selection_* and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 2e3a19dd0dd..545fb2e9b45 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -17,7 +17,7 @@ references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel date: 2022/08/01 -modified: 2023/08/17 +modified: 2024/07/03 tags: - attack.defense_evasion - attack.t1562.001 @@ -55,7 +55,11 @@ detection: - '\SpyNet\SubmitSamplesConsent' - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess' Details: 'DWORD (0x00000000)' - condition: selection_main and 1 of selection_dword_* + filter_optional_symantec: + Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\' + Image|endswith: '\sepWscSvc64.exe' + condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_* falsepositives: - Administrator actions via the Windows Defender interface + - Third party Antivirus level: high diff --git a/tests/thor.yml b/tests/thor.yml index 8858847a89c..40525a1d5c9 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -553,6 +553,11 @@ logsources: service: kernel-event-tracing sources: - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing' + windows-sense: + product: windows + service: sense + sources: + - 'WinEventLog:Microsoft-Windows-SENSE/Operational' apache: category: webserver sources: