From d804e9cba10fa2e3bdabeca0cc330158c58de016 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Nov 2024 09:30:14 +0100 Subject: [PATCH] Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac update: GALLIUM IOCs - remove custom dedicated hash fields update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields update: HackTool Named File Stream Created - remove custom dedicated hash fields update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields update: PUA - System Informer Driver Load - remove custom dedicated hash fields update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields update: WinDivert Driver Load - remove custom dedicated hash fields update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields update: Hacktool Execution - Imphash - remove custom dedicated hash fields update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields update: HackTool - Impersonate Execution - remove custom dedicated hash fields update: HackTool - LocalPotato Execution - remove custom dedicated hash fields update: HackTool - PCHunter Execution - remove custom dedicated hash fields update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields update: HackTool - Stracciatella Execution - remove custom dedicated hash fields update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields update: MpiExec Lolbin - remove custom dedicated hash fields update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Nimgrab Execution - remove custom dedicated hash fields update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Process Hacker Execution - remove custom dedicated hash fields update: PUA - System Informer Execution - remove custom dedicated hash fields update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields update: Renamed AdFind Execution - remove custom dedicated hash fields update: Renamed AutoIt Execution - remove custom dedicated hash fields update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields update: Renamed PAExec Execution - remove custom dedicated hash fields update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../driver_load_win_mal_poortry_driver.yml | 22 -- ...oad_win_vuln_avast_anti_rootkit_driver.yml | 6 +- .../driver_load_win_vuln_dell_driver.yml | 10 - .../driver_load_win_vuln_gigabyte_driver.yml | 14 +- .../driver_load_win_vuln_hw_driver.yml | 13 - .../driver_load_win_vuln_lenovo_driver.yml | 8 +- .../windows/proc_creation_win_apt_gallium.yml | 2 +- .../proc_creation_win_renamed_paexec.yml | 5 - .../proc_creation_win_apt_gallium_iocs.yml | 47 +-- ...e_load_malware_3cx_compromise_susp_dll.yml | 21 +- ...n_win_malware_3cx_compromise_execution.yml | 34 +- ...eate_stream_hash_hktl_generic_download.yml | 311 ++++++------------ .../driver_load_win_pua_process_hacker.yml | 25 +- .../driver_load_win_pua_system_informer.yml | 51 +-- .../driver_load_win_vuln_hevd_driver.yml | 19 +- .../driver_load_win_vuln_winring0_driver.yml | 23 +- .../driver_load/driver_load_win_windivert.yml | 77 ++--- .../image_load_hktl_sharpevtmute.yml | 5 +- .../proc_creation_win_hktl_coercedpotato.yml | 14 +- .../proc_creation_win_hktl_createminidump.yml | 3 +- ...ation_win_hktl_execution_via_imphashes.yml | 269 +++++---------- .../proc_creation_win_hktl_gmer.yml | 6 +- .../proc_creation_win_hktl_handlekatz.yml | 11 +- .../proc_creation_win_hktl_impersonate.yml | 10 +- .../proc_creation_win_hktl_localpotato.yml | 5 +- .../proc_creation_win_hktl_pchunter.yml | 15 +- .../proc_creation_win_hktl_selectmyparent.yml | 7 +- ...ation_win_hktl_stracciatella_execution.yml | 4 +- .../proc_creation_win_hktl_sysmoneop.yml | 11 +- .../proc_creation_win_hktl_uacme.yml | 15 +- .../proc_creation_win_hktl_wce.yml | 11 +- .../proc_creation_win_lolbin_mpiexec.yml | 3 +- .../proc_creation_win_pua_frp.yml | 13 +- .../proc_creation_win_pua_iox.yml | 13 +- .../proc_creation_win_pua_nimgrab.yml | 6 +- .../proc_creation_win_pua_nps.yml | 13 +- .../proc_creation_win_pua_process_hacker.yml | 38 +-- .../proc_creation_win_pua_system_informer.yml | 25 +- ...mote_access_tools_netsupport_susp_exec.yml | 3 +- .../proc_creation_win_renamed_adfind.yml | 11 +- .../proc_creation_win_renamed_autoit.yml | 14 +- ...oc_creation_win_renamed_netsupport_rat.yml | 3 +- .../proc_creation_win_renamed_paexec.yml | 11 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 6 +- tests/test_logsource.py | 32 +- 45 files changed, 380 insertions(+), 885 deletions(-) diff --git a/deprecated/windows/driver_load_win_mal_poortry_driver.yml b/deprecated/windows/driver_load_win_mal_poortry_driver.yml index 48f28f61fda..6caec819aa2 100644 --- a/deprecated/windows/driver_load_win_mal_poortry_driver.yml +++ b/deprecated/windows/driver_load_win_mal_poortry_driver.yml @@ -42,28 +42,6 @@ detection: - 'MD5=0f16a43f7989034641fd2de3eb268bf1' - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0' - 'MD5=909f3fc221acbe999483c87d9ead024a' - selection_hash: - - sha256: - - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' - - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' - - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' - - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' - - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' - - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' - - sha1: - - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' - - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d' - - '6debce728bcff73d9d1d334df0c6b1c3735e295c' - - 'cc65bf60600b64feece5575f21ab89e03a728332' - - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' - - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98' - - md5: - - '10f3679384a03cb487bda9621ceb5f90' - - '04a88f5974caa621cee18f34300fc08a' - - '6fcf56f6ca3210ec397e55f727353c4a' - - '0f16a43f7989034641fd2de3eb268bf1' - - 'ee6b1a79cb6641aa44c762ee90786fe0' - - '909f3fc221acbe999483c87d9ead024a' condition: 1 of selection* falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml index d298daa1266..78d2eca21c7 100644 --- a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml @@ -19,16 +19,12 @@ detection: - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa' - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' - selection_other: - - md5: 'a179c4093d05a3e1ee73f6ff07f994aa' - - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' driver_img: ImageLoaded|endswith: '\aswArPot.sys' driver_status: - Signed: 'false' - SignatureStatus: Expired - condition: 1 of selection* or all of driver_* + condition: selection_sysmon or all of driver_* falsepositives: - Unknown level: high diff --git a/deprecated/windows/driver_load_win_vuln_dell_driver.yml b/deprecated/windows/driver_load_win_vuln_dell_driver.yml index 8b3699e6151..54de81246a7 100644 --- a/deprecated/windows/driver_load_win_vuln_dell_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_dell_driver.yml @@ -26,16 +26,6 @@ detection: - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25' - 'MD5=C996D7971C49252C582171D9380360F2' - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244' - selection_hash: - - sha256: - - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' - - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - - sha1: - - 'c948ae14761095e4d76b55d9de86412258be7afd' - - '10b30bdee43b3a2ec4aa63375577ade650269d25' - - md5: - - 'c996d7971c49252c582171d9380360f2' - - 'd2fd132ab7bbc6bbb87a84f026fa0244' condition: 1 of selection* falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml index 65fc7e80a39..9fabbd75eb6 100644 --- a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml @@ -18,7 +18,7 @@ logsource: product: windows category: driver_load detection: - selection_sysmon: + selection: Hashes|contains: - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3' - 'MD5=C832A4313FF082258240B61B88EFA025' @@ -26,17 +26,7 @@ detection: - 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46' - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427' - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B' - selection_other: - - md5: - - '9ab9f3b75a2eb87fafb1b7361be9dfb3' - - 'c832a4313ff082258240b61b88efa025' - - sha1: - - 'fe10018af723986db50701c8532df5ed98b17c39' - - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46' - - sha256: - - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427' - - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b' - condition: 1 of selection* + condition: selection falsepositives: - Unknown level: high diff --git a/deprecated/windows/driver_load_win_vuln_hw_driver.yml b/deprecated/windows/driver_load_win_vuln_hw_driver.yml index 197602021de..cd053e89fc5 100644 --- a/deprecated/windows/driver_load_win_vuln_hw_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_hw_driver.yml @@ -28,19 +28,6 @@ detection: - 'MD5=3247014BA35D406475311A2EAB0C4657' - 'MD5=376B1E8957227A3639EC1482900D9B97' - 'MD5=45C2D133D41D2732F3653ED615A745C8' - selection_other: - - sha256: - - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8' - - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa' - - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5' - - sha1: - - '74e4e3006b644392f5fcea4a9bae1d9d84714b57' - - '18f34a0005e82a9a1556ba40b997b0eae554d5fd' - - '4e56e0b1d12664c05615c69697a2f5c5d893058a' - - md5: - - '3247014ba35d406475311a2eab0c4657' - - '376b1e8957227a3639ec1482900d9b97' - - '45c2d133d41d2732f3653ed615a745c8' condition: 1 of selection* falsepositives: - Unknown diff --git a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml index da246890da6..8beda59edd7 100644 --- a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml @@ -16,16 +16,12 @@ logsource: category: driver_load product: windows detection: - selection_sysmon: + selection: Hashes|contains: - 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE' - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F' - 'MD5=B941C8364308990EE4CC6EADF7214E0F' - selection_hash: - - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' - - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f' - - md5: 'b941c8364308990ee4cc6eadf7214e0f' - condition: 1 of selection* + condition: selection falsepositives: - Legitimate driver loads (old driver that didn't receive an update) level: high diff --git a/deprecated/windows/proc_creation_win_apt_gallium.yml b/deprecated/windows/proc_creation_win_apt_gallium.yml index 1fd597db581..d32ba2dc31e 100644 --- a/deprecated/windows/proc_creation_win_apt_gallium.yml +++ b/deprecated/windows/proc_creation_win_apt_gallium.yml @@ -25,7 +25,7 @@ detection: - ':\Program Files(x86)\' - ':\Program Files\' legitimate_executable: - sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f' + Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - Unknown diff --git a/deprecated/windows/proc_creation_win_renamed_paexec.yml b/deprecated/windows/proc_creation_win_renamed_paexec.yml index ee7785188fd..742cbe8849b 100644 --- a/deprecated/windows/proc_creation_win_renamed_paexec.yml +++ b/deprecated/windows/proc_creation_win_renamed_paexec.yml @@ -21,11 +21,6 @@ logsource: detection: selection: - Product|contains: 'PAExec' - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - Hashes|contains: - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index f9741258feb..3e50597903c 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -7,7 +7,7 @@ references: - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml author: Tim Burrell date: 2020-02-07 -modified: 2023-03-09 +modified: 2024-11-23 tags: - attack.credential-access - attack.command-and-control @@ -19,7 +19,7 @@ logsource: product: windows category: process_creation detection: - selection_sysmon: + selection: Hashes|contains: - 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' - 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' @@ -59,48 +59,7 @@ detection: - 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f' - 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de' - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2' - selection_hashes: - - sha256: - - '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' - - '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' - - '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5' - - '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29' - - '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77' - - 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3' - - '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022' - - '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883' - - '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e' - - '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7' - - 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1' - - '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c' - - '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945' - - '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9' - - '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79' - - '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf' - - '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08' - - '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef' - - '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070' - - sha1: - - '53a44c2396d15c3a03723fa5e5db54cafd527635' - - '9c5e496921e3bc882dc40694f1dcc3746a75db19' - - 'aeb573accfd95758550cf30bf04f389a92922844' - - '79ef78a797403a4ed1a616c68e07fff868a8650a' - - '4f6f38b4cec35e895d91c052b1f5a83d665c2196' - - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d' - - 'e841a63e47361a572db9a7334af459ddca11347a' - - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d' - - '2e94b305d6812a9f96e6781c888e48c7fb157b6b' - - 'dd44133716b8a241957b912fa6a02efde3ce3025' - - '8793bf166cb89eb55f0593404e4e933ab605e803' - - 'a39b57032dbb2335499a51e13470a7cd5d86b138' - - '41cc2b15c662bc001c0eb92f6cc222934f0beeea' - - 'd209430d6af54792371174e70e27dd11d3def7a7' - - '1c6452026c56efd2c94cea7e0f671eb55515edb0' - - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a' - - '4923d460e22fbbf165bbbaba168e5a46b8157d9f' - - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' - - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' - condition: 1 of selection_* + condition: selection falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index 05341bdc13f..a2e3c3f3a90 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -21,6 +21,7 @@ references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-31 +modified: 2024-11-23 tags: - attack.defense-evasion - detection.emerging-threats @@ -28,7 +29,7 @@ logsource: category: image_load product: windows detection: - selection_hashes_1: + selection: Hashes|contains: # ffmpeg.dll - 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' @@ -46,23 +47,7 @@ detection: - 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' - 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF' - 'MD5=7FAEA2B01796B80D180399040BB69835' - selection_hashes_2: - - sha256: - - '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' - - '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03' - - 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952' - - '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' - - sha1: - - 'BF939C9C261D27EE7BB92325CC588624FCA75429' - - '20D554A80D759C50D6537DD7097FED84DD258B3E' - - '894E7D4FFD764BB458809C7F0643694B036EAD30' - - '3B3E778B647371262120A523EB873C20BB82BEAF' - - md5: - - '74BC2D0B6680FAA1A5A76B27E5479CBC' - - '82187AD3F0C6C225E2FBA0C867280CC9' - - '11BC82A9BD8297BD0823BCE5D6202082' - - '7FAEA2B01796B80D180399040BB69835' - condition: 1 of selection_* + condition: selection falsepositives: - Unlikely level: critical diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 187e04614a6..bc7941a8d4c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -21,7 +21,7 @@ references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-29 -modified: 2023-03-31 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1218 @@ -31,7 +31,7 @@ logsource: category: process_creation product: windows detection: - selection_hashes_1: + selection_hashes: Hashes|contains: # 3CX Desktop 18.12.407 - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' @@ -60,41 +60,13 @@ detection: - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' - 'MD5=F3D4144860CA10BA60F7EF4D176CC736' - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9' - selection_hashes_2: - - sha256: - - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' - - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02' - - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE' - - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405' - - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734' - - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203' - - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868' - - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983' - - sha1: - - '480DC408EF50BE69EBCF84B95750F7E93A8A1859' - - '3B43A5D8B83C637D00D769660D01333E88F5A187' - - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA' - - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1' - - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB' - - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5' - - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA' - - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' - - md5: - - 'BB915073385DD16A846DFA318AFA3C19' - - '08D79E1FFFA244CC0DC61F7D2036ACA9' - - '4965EDF659753E3C05D800C6C8A23A7A' - - '9833A4779B69B38E3E51F04E395674C6' - - '704DB9184700481A56E5100FB56496CE' - - '8EE6802F085F7A9DF7E0303E65722DC0' - - 'F3D4144860CA10BA60F7EF4D176CC736' - - '0EEB1C0133EB4D571178B2D9D14CE3E9' selection_pe_1: - OriginalFileName: '3CXDesktopApp.exe' - Image|endswith: '\3CXDesktopApp.exe' - Product: '3CX Desktop App' selection_pe_2: FileVersion|contains: '18.12.' - condition: all of selection_pe_* or 1 of selection_hashes_* + condition: all of selection_pe_* or selection_hashes falsepositives: - Legitimate usage of 3CXDesktopApp level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 9391e7301af..eb61e2c691a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -16,7 +16,7 @@ references: - https://github.com/wavestone-cdt/EDRSandblast author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-01-02 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.s0139 @@ -27,212 +27,109 @@ logsource: definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - 96df3a3731912449521f6f8d183279b1 # Backstab - - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab - - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab - - 25ce42b079282632708fc846129e98a5 # Forensia - - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast - - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast - - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast - - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast - - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast - - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast - - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast - - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer - - Hash|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller - - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab - - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast - - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer + Hash|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: selection falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index eccbd6cfe6d..e6987a0829a 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -9,7 +9,7 @@ references: - https://processhacker.sourceforge.io/ author: Florian Roth (Nextron Systems) date: 2022-11-16 -modified: 2023-05-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - cve.2021-21551 @@ -18,21 +18,14 @@ logsource: category: driver_load product: windows detection: - selection_image: - ImageLoaded|endswith: '\kprocesshacker.sys' - selection_processhack_sysmon: - Hashes|contains: - - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' - - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' - - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' - - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' - selection_processhack_hashes: - Imphash: - - '821D74031D3F625BCBD0DF08B70F1E77' - - 'F86759BB4DE4320918615DC06E998A39' - - '0A64EEB85419257D0CE32BD5D55C3A18' - - '6E7B34DFC017700B1517B230DF6FF0D0' - condition: 1 of selection_* + selection: + - ImageLoaded|endswith: '\kprocesshacker.sys' + - Hashes|contains: + - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' + - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' + - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' + - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' + condition: selection falsepositives: - Legitimate use of process hacker or system informer by developers or system administrators level: high diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 10dfa7c4a5c..27b135255ad 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -10,6 +10,7 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) date: 2023-05-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543 @@ -17,39 +18,23 @@ logsource: category: driver_load product: windows detection: - selection_image: - ImageLoaded|endswith: '\SystemInformer.sys' - selection_systeminformer_sysmon: - Hashes|contains: - - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' - - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' - - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' - - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' - - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' - - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' - - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' - - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' - - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' - - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' - - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' - - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' - - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' - selection_systeminformer_hashes: - sha256: - - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' - - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' - - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' - - 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b' - - '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d' - - '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34' - - '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89' - - '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb' - - 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b' - - '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97' - - '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656' - - 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4' - - '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138' - condition: 1 of selection_* + selection: + - ImageLoaded|endswith: '\SystemInformer.sys' + - Hashes|contains: + - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' + - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' + - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' + - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' + - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' + - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' + - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' + - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' + - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' + - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' + - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' + - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' + - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' + condition: selection falsepositives: - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index cd35b93aa20..6ea75fa8223 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -6,7 +6,7 @@ references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543.003 @@ -14,17 +14,12 @@ logsource: product: windows category: driver_load detection: - selection_name: - ImageLoaded|endswith: '\HEVD.sys' - selection_sysmon: - Hashes|contains: - - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 - - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 - selection_other: - Imphash: - - 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 - - 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 - condition: 1 of selection* + selection: + - ImageLoaded|endswith: '\HEVD.sys' + - Hashes|contains: + - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 + - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 + condition: selection falsepositives: - Unlikely level: high diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index 56aa9a0e0ec..a844938bbf0 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -7,7 +7,7 @@ references: - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth (Nextron Systems) date: 2022-07-26 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543.003 @@ -15,18 +15,15 @@ logsource: product: windows category: driver_load detection: - selection_name: - ImageLoaded|endswith: - - '\WinRing0x64.sys' - - '\WinRing0.sys' - - '\WinRing0.dll' - - '\WinRing0x64.dll' - - '\winring00x64.sys' - selection_sysmon: - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' - selection_other: - Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7' - condition: 1 of selection* + selection: + - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' + - ImageLoaded|endswith: + - '\WinRing0x64.sys' + - '\WinRing0.sys' + - '\WinRing0.dll' + - '\WinRing0x64.dll' + - '\winring00x64.sys' + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 43a6d033500..2b08c4ac885 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -7,7 +7,7 @@ references: - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth (Nextron Systems) date: 2021-07-30 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.collection - attack.defense-evasion @@ -18,54 +18,33 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: - - '\WinDivert.sys' - - '\WinDivert64.sys' - # Other used names - - '\NordDivert.sys' - - '\lingtiwfp.sys' - - '\eswfp.sys' - selection_sysmon: - Hashes|contains: - - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087' - - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f' - - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276' - - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76' - - 'IMPHASH=58623490691babe8330adc81cd04a663' - - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b' - - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96' - - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a' - - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a' - - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc' - - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342' - - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88' - - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38' - - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6' - - 'IMPHASH=a74929edfc3289895e3f2885278947ae' - - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e' - - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' - - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' - selection_hashes: - Imphash: - - '0604bb7cb4bb851e2168d5c7d9399087' - - '2e5f0e649d97f32b03c09e4686d0574f' - - '52f8aa269f69f0edad9e8fcdaedce276' - - 'c0e5d314da39dbf65a2dbff409cc2c76' - - '58623490691babe8330adc81cd04a663' - - '8ee39b48656e4d6b8459d7ba7da7438b' - - '45ee545ae77e8d43fc70ede9efcd4c96' - - 'a1b2e245acd47e4a348e1a552a02859a' - - '2a5f85fe4609461c6339637594fa9b0a' - - '6b2c6f95233c2914d1d488ee27531acc' - - '9f2fdd3f9ab922bbb0560a7df46f4342' - - 'd8a719865c448b1bd2ec241e46ac1c88' - - '0ea54f8c9af4a2fe8367fa457f48ed38' - - '9d519ae0a0864d6d6ae3f8b6c9c70af6' - - 'a74929edfc3289895e3f2885278947ae' - - 'a66b476c2d06c370f0a53b5537f2f11e' - - 'bdcd836a46bc2415773f6b5ea77a46e4' - - 'c28cd6ccd83179e79dac132a553693d9' - condition: 1 of selection* + - ImageLoaded|contains: + - '\WinDivert.sys' + - '\WinDivert64.sys' + # Other used names + - '\NordDivert.sys' + - '\lingtiwfp.sys' + - '\eswfp.sys' + - Hashes|contains: + - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087' + - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f' + - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276' + - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76' + - 'IMPHASH=58623490691babe8330adc81cd04a663' + - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b' + - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96' + - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a' + - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a' + - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc' + - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342' + - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88' + - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38' + - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6' + - 'IMPHASH=a74929edfc3289895e3f2885278947ae' + - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e' + - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' + - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' + condition: selection falsepositives: - Legitimate WinDivert driver usage level: high diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index c105113960b..c6f4f0f3b0a 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -9,7 +9,7 @@ references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) date: 2022-09-07 -modified: 2023-02-17 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1562.002 @@ -18,8 +18,7 @@ logsource: product: windows detection: selection: - - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' - - Imphash: '330768a4f172e10acb6287b87289d83b' + Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' condition: selection falsepositives: - Other DLLs with the same Imphash diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index d8e5173d0c1..3b96f699e55 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -7,7 +7,7 @@ references: - https://blog.hackvens.fr/articles/CoercedPotato.html author: Florian Roth (Nextron Systems) date: 2023-10-11 -modified: 2024-04-15 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,14 +21,10 @@ detection: selection_params: CommandLine|contains: ' --exploitId ' selection_loader_imphash: - - Imphash: - - 'a75d7669db6b2e107a44c4057ff7f7d6' - - 'f91624350e2c678c5dcbe5e1f24e22c9' - - '14c81850a079a87e83d50ca41c709a15' - - Hashes|contains: - - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' - - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' - - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' + Hashes|contains: + - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' + - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' + - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index 843f4ac159d..3ce12edb2f5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -6,7 +6,7 @@ references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) date: 2019-12-22 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -16,7 +16,6 @@ logsource: detection: selection: - Image|endswith: '\CreateMiniDump.exe' - - Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index a1d8ff8d8a4..f58409ee183 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022-03-04 -modified: 2024-02-07 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1588.002 @@ -16,184 +16,95 @@ logsource: product: windows detection: selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - 96df3a3731912449521f6f8d183279b1 # Backstab - - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab - - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab - - 25ce42b079282632708fc846129e98a5 # Forensia - - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast - - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast - - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast - - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast - - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast - - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast - - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast - - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer - - b50199e952c875241b9ce06c971ce3c1 # EventLogCrasher - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller - - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab - - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast - - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer - - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher + Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer + - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher condition: selection falsepositives: - Legitimate use of one of these tools diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index 37472dfda27..6c08ebdcc76 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -6,7 +6,7 @@ references: - http://www.gmer.net/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-05 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -20,10 +20,6 @@ detection: - 'MD5=E9DC058440D321AA17D0600B3CA0AB04' - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57' - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173' - selection_other: - - md5: 'e9dc058440d321aa17d0600b3ca0ab04' - - sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57' - - sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index 96532d62d1c..5037f155aac 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -6,7 +6,7 @@ references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) date: 2022-08-18 -modified: 2024-04-15 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -18,12 +18,9 @@ detection: Image|endswith: '\loader.exe' CommandLine|contains: '--pid:' selection_loader_imphash: - - Imphash: - - '38d9e015591bbfd4929e0d0f47fa0055' - - '0e2216679ca6e1094d63322e3412d650' - - Hashes|contains: - - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' - - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' + Hashes|contains: + - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' + - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' selection_flags: CommandLine|contains|all: - '--pid:' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index 6e60530eb8a..37cef8dcf51 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -7,7 +7,7 @@ references: - https://github.com/sensepost/impersonate author: Sai Prashanth Pulisetti @pulisettis date: 2022-12-21 -modified: 2023-02-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.defense-evasion @@ -24,16 +24,12 @@ detection: - ' list ' - ' exec ' - ' adduser ' - selection_hash_plain: + selection_hash: Hashes|contains: - 'MD5=9520714AB576B0ED01D1513691377D01' - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' - selection_hash_ext: - - md5: '9520714AB576B0ED01D1513691377D01' - - sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - - Imphash: '0A358FFC1697B7A07D0E817AC740DF62' - condition: all of selection_commandline_* or 1 of selection_hash_* + condition: all of selection_commandline_* or selection_hash falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index 0562b0755b1..546fc5bbb6f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -7,6 +7,7 @@ references: - https://github.com/decoder-it/LocalPotato author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-14 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -25,10 +26,6 @@ detection: Hashes|contains: - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC' - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5' - selection_hash_ext: - Imphash: - - 'E1742EE971D6549E8D4D81115F88F1FC' - - 'DD82066EFBA94D7556EF582F247C8BB5' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 73034df1690..9b6aad13359 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -8,7 +8,7 @@ references: - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022-10-10 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.execution - attack.discovery @@ -38,19 +38,6 @@ detection: - 'MD5=228DD0C2E6287547E26FFBD973A40F14' - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C' - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663' - selection_hash_values: - - md5: - - '228dd0c2e6287547e26ffbd973a40f14' - - '987b65cd9b9f4e9a1afd8f8b48cf64a7' - - sha1: - - '5f1cbc3d99558307bc1250d084fa968521482025' - - '3fb89787cb97d902780da080545584d97fb1c2eb' - - sha256: - - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' - - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' - - Imphash: - - '444d210cea1ff8112f256a4997eed7ff' - - '0479f44df47cfa2ef1ccc4416a538663' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 3adbb501d27..619cac573fc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -9,7 +9,7 @@ references: - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files author: Florian Roth (Nextron Systems) date: 2022-07-23 -modified: 2023-03-07 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1134.004 @@ -37,11 +37,6 @@ detection: - 'spoofppid' - 'spoofedppid' - Description: 'SelectMyParent' - - Imphash: - - '04d974875bd225f00902b4cad9af3fbc' - - 'a782af154c9e743ddf3f3eb2b8f3d16e' - - '89059503d7fbf470e68f7e63313da3ad' - - 'ca28337632625c8281ab8a130b3d6bad' - Hashes|contains: - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC' - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index bf261ee3de5..c700138b6af 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -6,6 +6,7 @@ references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) date: 2023-04-17 +modified: 2024-11-23 tags: - attack.execution - attack.defense-evasion @@ -22,9 +23,6 @@ detection: - Hashes|contains: - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' - - sha256: - - '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - - 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 479fd4e84a9..d9bdcabccd1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: Florian Roth (Nextron Systems) date: 2022-12-04 -modified: 2024-04-15 +modified: 2024-11-23 tags: - cve.2022-41120 - attack.t1068 @@ -18,12 +18,9 @@ detection: selection_img: Image|endswith: '\SysmonEOP.exe' selection_hash: - - Hashes|contains: - - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' - - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' - - Imphash: - - '22f4089eb8aba31e1bb162c6d9bf72e5' - - '5123fa4c4384d431cd0d893eeb49bbec' + Hashes|contains: + - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' + - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index 26f73345f5e..de6f7fea237 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2021-08-30 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -46,19 +46,6 @@ detection: - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894' - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74' - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B' - selection_hashes_other: - Imphash: - - '767637c23bb42cd5d7397cf58b0be688' - - '14c4e4c72ba075e9069ee67f39188ad8' - - '3c782813d4afce07bbfc5a9772acdbdc' - - '7d010c6bb6a3726f327f7e239166d127' - - '89159ba4dd04e4ce5559f132a9964eb3' - - '6f33f4a5fc42b8cec7314947bd13f30f' - - '5834ed4291bdeb928270428ebbaf7604' - - '5a8a8a43f25485e7ee1b201edcbc7a38' - - 'dc7d30b90b2d8abf664fbed2b1b59894' - - '41923ea1f824fe63ea5beb84db7a3e74' - - '3de09703c8e79ed2ca3f01074719906b' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml index 71036a587a1..df6647bdebe 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml @@ -6,7 +6,7 @@ references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) date: 2019-12-31 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -16,12 +16,9 @@ logsource: product: windows detection: selection_1: - - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f - - IMPHASH=e96a73c7bf33a464c510ede582318bf2 + Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f + - IMPHASH=e96a73c7bf33a464c510ede582318bf2 selection_2: CommandLine|endswith: '.exe -S' ParentImage|endswith: '\services.exe' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index b68553abebc..d1d47f27357 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps author: Florian Roth (Nextron Systems) date: 2022-01-11 -modified: 2022-03-04 +modified: 2024-11-23 tags: - attack.execution - attack.defense-evasion @@ -18,7 +18,6 @@ logsource: detection: selection_binary: - Image|endswith: '\mpiexec.exe' - - Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217' - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217' selection_flags: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 19b5098c00a..b0e07ad75bb 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -7,7 +7,7 @@ references: - https://github.com/fatedier/frp author: frack113, Florian Roth date: 2022-09-02 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -23,13 +23,10 @@ detection: CommandLine|contains: '\frpc.ini' selection_hashes: # v0.44.0 - - Hashes|contains: - - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" - - "SHA1=06DDC9280E1F1810677935A2477012960905942F" - - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" - - md5: '7d9c233b8c9e3f0ea290d2b84593c842' - - sha1: '06ddc9280e1f1810677935a2477012960905942f' - - sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c' + Hashes|contains: + - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" + - "SHA1=06DDC9280E1F1810677935A2477012960905942F" + - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" condition: 1 of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 3c4738818ba..d0c0ab9c543 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -6,7 +6,7 @@ references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) date: 2022-10-08 -modified: 2023-02-08 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -24,13 +24,10 @@ detection: - '.exe proxy -r ' selection_hashes: # v0.4 - - Hashes|contains: - - "MD5=9DB2D314DD3F704A02051EF5EA210993" - - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" - - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" - - md5: '9db2d314dd3f704a02051ef5ea210993' - - sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd' - - sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731' + Hashes|contains: + - "MD5=9DB2D314DD3F704A02051EF5EA210993" + - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" + - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" condition: 1 of selection* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index 3d3f0b8aa12..868659ae65e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 date: 2022-08-28 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1105 @@ -21,10 +21,6 @@ detection: - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45 - selection_hash: - - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B - - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 condition: 1 of selection_* falsepositives: - Legitimate use of Nim on a developer systems diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index f696f7a32ce..03077d5d981 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -6,7 +6,7 @@ references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) date: 2022-10-08 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -25,13 +25,10 @@ detection: CommandLine|contains: ' -config=npc' selection_hashes: # v0.26.10 - - Hashes|contains: - - "MD5=AE8ACF66BFE3A44148964048B826D005" - - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" - - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" - - md5: 'ae8acf66bfe3a44148964048b826d005' - - sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' - - sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856' + Hashes|contains: + - "MD5=AE8ACF66BFE3A44148964048B826D005" + - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" + - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" condition: 1 of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 485cd79ae4c..f56f78b169d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -13,7 +13,7 @@ references: - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth (Nextron Systems) date: 2022-10-10 -modified: 2023-12-11 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.discovery @@ -26,7 +26,7 @@ logsource: category: process_creation product: windows detection: - selection_image: + selection: - Image|contains: '\ProcessHacker_' - Image|endswith: '\ProcessHacker.exe' - OriginalFileName: @@ -34,30 +34,16 @@ detection: - 'Process Hacker' - Description: 'Process Hacker' - Product: 'Process Hacker' - selection_hashes: - Hashes|contains: - - 'MD5=68F9B52895F4D34E74112F3129B3B00D' - - 'MD5=B365AF317AE730A67C936F21432B9C71' - - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' - - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' - - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' - - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' - - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' - - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' - selection_hash_values: - - md5: - - '68f9b52895f4d34e74112f3129b3b00d' - - 'b365af317ae730a67c936f21432b9c71' - - sha1: - - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' - - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' - - sha256: - - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' - - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' - - Imphash: - - '04de0ad9c37eb7bd52043d2ecac958df' - - '3695333c60dedecdcaff1590409aa462' - condition: 1 of selection_* + - Hashes|contains: + - 'MD5=68F9B52895F4D34E74112F3129B3B00D' + - 'MD5=B365AF317AE730A67C936F21432B9C71' + - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' + - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' + - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' + - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' + - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' + - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' + condition: selection falsepositives: - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis level: medium diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 42420aa9b2e..9d599252d2d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -9,6 +9,7 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) date: 2023-05-08 +modified: 2024-11-23 tags: - attack.persistence - attack.privilege-escalation @@ -21,25 +22,19 @@ logsource: category: process_creation product: windows detection: - selection_image: + selection: - Image|endswith: '\SystemInformer.exe' - OriginalFileName: 'SystemInformer.exe' - Description: 'System Informer' - Product: 'System Informer' - selection_hashes: - Hashes|contains: - # Note: add other hashes as needed - # 3.0.11077.6550 - - 'MD5=19426363A37C03C3ED6FEDF57B6696EC' - - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' - - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' - - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12' - selection_hash_values: - - md5: '19426363A37C03C3ED6FEDF57B6696EC' - - sha1: '8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' - - sha256: '8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' - - Imphash: 'B68908ADAEB5D662F87F2528AF318F12' - condition: 1 of selection_* + - Hashes|contains: + # Note: add other hashes as needed + # 3.0.11077.6550 + - 'MD5=19426363A37C03C3ED6FEDF57B6696EC' + - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' + - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' + - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12' + condition: selection falsepositives: - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 88b2be2998d..abfab0a376f 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 -modified: 2023-03-05 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -17,7 +17,6 @@ detection: - Image|endswith: '\client32.exe' - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - - Imphash: a9d50692e95b79723f3e76fcf70d023e - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e filter: Image|startswith: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index ea6b2b07db3..a0d2faf5987 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -11,7 +11,7 @@ references: - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md author: Florian Roth (Nextron Systems) date: 2022-08-21 -modified: 2023-02-14 +modified: 2024-11-23 tags: - attack.discovery - attack.t1018 @@ -44,12 +44,9 @@ detection: - 'computers_active' - 'computers_pwdnotreqd' selection_2: - - Imphash: - - bca5675746d13a1f246e2da3c2217492 - - 53e117a96057eaf19c41380d0e87f1c2 - - Hashes|contains: - - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' - - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' + Hashes|contains: + - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' + - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' selection_3: OriginalFileName: 'AdFind.exe' filter: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 71266141e31..c3dd2775f99 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -10,7 +10,7 @@ references: - https://www.autoitscript.com/site/ author: Florian Roth (Nextron Systems) date: 2023-06-04 -modified: 2023-09-19 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1027 @@ -23,14 +23,10 @@ detection: - ' /AutoIt3ExecuteScript' - ' /ErrorStdOut' selection_2: - - Imphash: - - 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries - - 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries - - 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries - - Hashes|contains: - - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries + Hashes|contains: + - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries selection_3: OriginalFileName: - 'AutoIt3.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index b0ac2fd5ddf..41b356c4447 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -16,7 +16,6 @@ detection: selection: - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - - Imphash: a9d50692e95b79723f3e76fcf70d023e - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: Image|endswith: '\client32.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index 0866f475618..bc58e99e819 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -10,7 +10,7 @@ references: - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf author: Florian Roth (Nextron Systems), Jason Lynch date: 2021-05-22 -modified: 2023-02-14 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1202 @@ -22,20 +22,15 @@ detection: - Description: 'PAExec Application' - OriginalFileName: 'PAExec.exe' - Product|contains: 'PAExec' - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - Hashes|contains: - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c - filter: + filter_main_known_location: - Image|endswith: '\paexec.exe' - Image|startswith: 'C:\Windows\PAExec-' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Weird admins that rename their tools - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 305acaae6fb..6799b2ebe4c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth date: 2019-01-16 -modified: 2023-02-15 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1047 @@ -24,10 +24,6 @@ detection: selection_pe: - Image|endswith: '\wmic.exe' - OriginalFileName: 'wmic.exe' - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - IMPHASH=37777A96245A3C74EB217308F3546F4C diff --git a/tests/test_logsource.py b/tests/test_logsource.py index e5426ae4382..022836c34f3 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -282,22 +282,22 @@ def load_fields_json(name: str): # Add common field for product in data: for category in data[product]["category"]: - if "Hashes" in data[product]["category"][category]: - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] - if ( - "Hash" in data[product]["category"][category] - ): # Sysmon 15 create_stream_hash - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] + # if "Hashes" in data[product]["category"][category]: + # data[product]["category"][category] += [ + # "md5", + # "sha1", + # "sha256", + # "Imphash", + # ] + # if ( + # "Hash" in data[product]["category"][category] + # ): # Sysmon 15 create_stream_hash + # data[product]["category"][category] += [ + # "md5", + # "sha1", + # "sha256", + # "Imphash", + # ] if "common" in data[product].keys(): data[product]["category"][category] += data[product]["common"] for service in data[product]["service"]: