- rule_id: 503
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1638350429925
- modify_time: 1638350456574
- severity: SEV_030_MEDIUM
- source: frank.bussink@scrt.ch
- comment: Privesc cdpsgshims.dll
- status: ENABLED
- category: PRIVILEGE_ESCALATION
-
- runOnCGO: False
- investigationType: FILE_EVENT
-
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 1
- isExtended: False
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 2
- isExtended: False
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 3
- isExtended: False
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 6
- isExtended: False
- SEARCH_FIELD: action_file_name
- SEARCH_TYPE: EQ
- SEARCH_VALUE: cdpsgshims.dll
-
- isExtended: False
- node: attributes
- indicator_md5: a5d8fbe26ddbd7f48f8b4f660ed52866
- indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll
- name: SCRT cdpsgshims.dll created to disk
- mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
- mitre_tactic_id_and_name: TA0004 - Privilege Escalation
- mitre_tactic_id: TA0004
- mitre_technique_id: T1574.001
-
- action: block
- friendlyName: SCRT cdpsgshims.dll created to disk
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SCRT cdpsgshims.dll created to disk
- biocId: 503
- additionalData: {}
- rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_open) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid))))
-
- action: block
- friendlyName: SCRT cdpsgshims.dll created to disk
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SCRT cdpsgshims.dll created to disk
- biocId: 503
- additionalData: {}
- rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_open) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid))))
-
- action: block
- friendlyName: SCRT cdpsgshims.dll created to disk
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SCRT cdpsgshims.dll created to disk
- biocId: 503
- additionalData: {}
- rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_open) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid))))
- btp_rule_name: file_operation_503
- is_preventable: 1
- supported_os: 7
- btp_validation_error: None
- xql: None
- is_xql: False
- query_tables: None
- rule_id: 502
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1638350268266
- modify_time: 1638353935456
- severity: SEV_040_HIGH
- source: frank.bussink@scrt.ch
- comment: Created by F. Bussink SCRT
- status: ENABLED
- category: EXECUTION
-
- runOnCGO: True
- investigationType: PROCESS_EXECUTION_EVENT
-
- SEARCH_FIELD: agent_os_type
- SEARCH_TYPE: NEQ
- SEARCH_VALUE: 4
-
- isExtended: False
- node: xdr_agent
- SEARCH_FIELD: action_process_signature_status
- SEARCH_TYPE: COMPLEX_EQ
- SEARCH_VALUE: {"COLLECTION_TYPE": "SIGNATURE_STATUS", "COLLECTION_VALUE": "SIGNATURE_SIGNED"}
-
- isExtended: False
- SEARCH_FIELD: action_process_signature_vendor
- SEARCH_TYPE: REGEX
- SEARCH_VALUE: Jetico.*
-
- isExtended: False
- indicator_md5: ca1b0c73d6ed6af725f54b8f6165913f
- indicator_text: Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux
- name: SCRT JETICO Signed binary
- mitre_technique_id_and_name:
- mitre_tactic_id_and_name:
- mitre_tactic_id:
- mitre_technique_id:
-
- action: block
- friendlyName: SCRT JETICO Signed binary
-
- biocRuleName: SCRT JETICO Signed binary
- biocId: 502
- additionalData: {}
- rule_data: (deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?signature_state_signed) (regex (lowcase ?signer_name) "jetico.*" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid))))
- btp_rule_name: process_start_502
- is_preventable: 1
- supported_os: 1
- btp_validation_error: WINDOWS_SUPPORT_ONLY
- xql: None
- is_xql: False
- query_tables: None
- rule_id: 393
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1684854242506
- modify_time: 1684854242506
- severity: SEV_040_HIGH
- source: frank.bussink@e-xpertsolutions.com
- comment: This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password)
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: 8b554c9ad93cfd962b8cfa237fc99914
- indicator_text: dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769
| alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName")
| alter ServiceName = trim(ServiceName,""")
| alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType")
| alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions")
| alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName")
| alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress")
| alter TicketEncryptionTypeName = ""
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName)
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName )
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName)
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName)
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName)
| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName)
| alter TicketOptionsName = ""
| alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName)
| alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName)
| alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName)
| filter (ServiceName = "sqlsvc")
- name: BIOC-Kerberoasting Canary account
- mitre_technique_id_and_name: T1003 - OS Credential Dumping
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: None
- btp_validation_error: None
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4769, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.ServiceName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "string_trim", "parameters": ["$ServiceName", """]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionType", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketEncryptionType"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptions", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketOptions"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TargetUserName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TargetUserName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "IpAddress", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.IpAddress"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x1", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-CRC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x3", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-MD5"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x11", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES128-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x12", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES256-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x17", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x18", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC-EXP"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810000", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x60810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$ServiceName", "OPERATOR": "EQ", "RIGHT": "sqlsvc", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1684854242506
- rule_id: 388
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1683118061196
- modify_time: 1694168591898
- severity: SEV_040_HIGH
- source: frank.bussink@e-xpertsolutions.com
- comment: SCRT BIOC to detect MS-EFSR RPC calls
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: f6473e3c9013984ff967251d17884890
- indicator_text: dataset = xdr_data
| filter EVENT_TYPE = RPC_CALL
| filter event_rpc_interface_uuid = "{C681D488-D850-11D0-8C52-00C04FD90F7E}"
| filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15))
- name: BIOC-PetitPotam-Authentication-Coercer
- mitre_technique_id_and_name: T1003 - OS Credential Dumping
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: 0
- btp_validation_error: UNSUPPORTED_XQL
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{C681D488-D850-11D0-8C52-00C04FD90F7E}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 0, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 4, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 5, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 6, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 7, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 8, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 15, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1694168591976
- status_changed_by: None
- status_changed_at: None
- last_status_change_reason: None
- rule_id: 397
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1694169318013
- modify_time: 1694169318013
- severity: SEV_040_HIGH
- source: frank.bussink@e-xpertsolutions.com
- comment: E-XpertSolutions BIOC to detect Coerce project
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: 584883bf13f35adb2d803c0525401140
- indicator_text: dataset = xdr_data
| filter EVENT_TYPE = RPC_CALL
| filter event_rpc_interface_uuid = "{82273FDC-E32A-18C3-3F78-827929DC23EA}"
| filter (action_rpc_func_opnum = 9)
- name: BIOC-PetitPotam-EventLog-ElfrOpenBELW
- mitre_technique_id_and_name: T1003 - OS Credential Dumping
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: None
- btp_validation_error: None
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{82273FDC-E32A-18C3-3F78-827929DC23EA}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1694169318013
- status_changed_by: None
- status_changed_at: None
- last_status_change_reason: None
- rule_id: 537
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1658410759398
- modify_time: 1658410759398
- severity: SEV_020_LOW
- source: frank.bussink@scrt.ch
- comment: SCRT rule to detect Authentication Coerce PetitPotam on MS-DFSNM Op 12 or Op 13
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: a8d61ecc099487a2152fe07ca680bf06
- indicator_text: dataset = xdr_data
| filter event_type = ENUM.RPC_CALL
| filter (event_rpc_interface_uuid = "{4FC742E0-4A10-11CF-8273-00AA004AE673}" )
| filter ((event_rpc_func_opnum = 12) or (event_rpc_func_opnum = 13))
- name: SCRT_PetitPotam_MS_DFSNM_Authentication_Coerce
- mitre_technique_id_and_name: T1003 - OS Credential Dumping
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: None
- btp_validation_error: None
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{4FC742E0-4A10-11CF-8273-00AA004AE673}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1658410759398
- rule_id: 535
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1658397007681
- modify_time: 1658410787888
- severity: SEV_020_LOW
- source: frank.bussink@scrt.ch
- comment: SCRT BIOC to detect MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: 2b19fe216d6e1efff594f0453f07dc67
- indicator_text: dataset = xdr_data
| filter EVENT_TYPE = RPC_CALL
| filter event_rpc_interface_uuid = "{12345678-1234-ABCD-EF00-0123456789AB}"
| filter ((action_rpc_func_opnum = 65) )
- name: SCRT-PetitPotam-Spoolss-Authentication-Coercer
- mitre_technique_id_and_name:
- mitre_tactic_id_and_name:
- mitre_tactic_id:
- mitre_technique_id:
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: 0
- btp_validation_error: UNSUPPORTED_XQL
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{12345678-1234-ABCD-EF00-0123456789AB}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 65, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1658404769097
- rule_id: 395
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1643316022296
- modify_time: 1643316022296
- severity: SEV_030_MEDIUM
- source: frank.bussink@scrt.ch
- comment: Possible RBCD Attack. A computer account creates another Computer account. https://www.bussink.net/rbcd-webclient-attack/
- status: ENABLED
- category: PRIVILEGE_ESCALATION
- indicator: None
- indicator_md5: a446f0072748b2bb6dadc13136560211
- indicator_text: dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741
| filter action_evtlog_message ~= ".A computer account was created."
| alter AccountName = arrayindex(regextract(action_evtlog_message, ".Account Name:.?(\w.*)\r\n"),0)
| filter AccountName ~= ".$."
- name: SCRT-RBCD-Attack
- mitre_technique_id_and_name:
- mitre_tactic_id_and_name:
- mitre_tactic_id:
- mitre_technique_id:
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: None
- btp_validation_error: None
- xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4741, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_evtlog_message", "OPERATOR": "REGEX", "RIGHT": ".A computer account was created.", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "AccountName", "source": {"function": "array_item", "parameters": [{"function": "regexp_extract_all", "parameters": ["$action_evtlog_message", ".Account Name:.?(\w.)\r\n"]}, 0]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$AccountName", "OPERATOR": "REGEX", "RIGHT": ".\$.*", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_id: 395
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1687879280170
- modify_time: 1687879288067
- severity: SEV_030_MEDIUM
- source: frank.bussink@e-xpertsolutions.com
- comment: https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ No known legit usage
- status: ENABLED
- category: CREDENTIAL_ACCESS
-
- runOnCGO: True
- investigationType: PROCESS_EXECUTION_EVENT
-
- SEARCH_FIELD: action_process_image_name
- SEARCH_TYPE: REGEX
- SEARCH_VALUE: rdrleakdiag
-
- isExtended: False
- node: attributes
- SEARCH_FIELD: action_process_image_command_line
- SEARCH_TYPE: REGEX
- SEARCH_VALUE: .rdrleakdiag./fullmemdmp.*
-
- isExtended: False
- indicator_md5: 7a67171bb15f69cb9e42881b5e49c089
- indicator_text: Process action type = execution AND target process cmd =~ .rdrleakdiag./fullmemdmp.* AND target process name =~ rdrleakdiag
- name: BIOC-Rdrleakdiag-lolbas-command
- mitre_technique_id_and_name: T1003.001 - OS Credential Dumping: LSASS Memory
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003.001
-
- action: block
- friendlyName: BIOC-Rdrleakdiag-lolbas-command
-
- 0: TA0006
-
- 0: T1003.001
- biocRuleName: BIOC-Rdrleakdiag-lolbas-command
- biocId: 395
- additionalData: {}
- rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name "rdrleakdiag" 0) (regex ?command_line ".rdrleakdiag.\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))
-
- action: block
- friendlyName: BIOC-Rdrleakdiag-lolbas-command
-
- 0: TA0006
-
- 0: T1003.001
- biocRuleName: BIOC-Rdrleakdiag-lolbas-command
- biocId: 395
- additionalData: {}
- rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name "rdrleakdiag" 0) (regex ?command_line ".rdrleakdiag.\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))
-
- action: block
- friendlyName: BIOC-Rdrleakdiag-lolbas-command
-
- 0: TA0006
-
- 0: T1003.001
- biocRuleName: BIOC-Rdrleakdiag-lolbas-command
- biocId: 395
- additionalData: {}
- rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex (lowcase ?process_image_name) "rdrleakdiag" 0) (regex (lowcase ?command_line) ".rdrleakdiag.\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))
- btp_rule_name: process_start_395
- is_preventable: 1
- supported_os: 7
- btp_validation_error: None
- xql: None
- is_xql: False
- query_tables: None
- rule_indicator_last_modified_ts: 1687879280170
- status_changed_by: None
- status_changed_at: None
- last_status_change_reason: None
- rule_id: 520
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1650371481298
- modify_time: 1650371613163
- severity: SEV_030_MEDIUM
- source: frank.bussink@scrt.ch
- comment: SCRT switzerland - k4nfr3 - 19/04/2022 Following Mr D0x research : https://mrd0x.com/cortex-xdr-analysis-and-bypass/ it requires privilege and a reboot. This is until PAN will provide real signature
- status: ENABLED
- category: EVASION
-
- runOnCGO: True
- investigationType: REGISTRY_EVENT
-
- SEARCH_FIELD: agent_os_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 1
-
- isExtended: False
- node: xdr_agent
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 4
- isExtended: False
- SEARCH_FIELD: action_registry_value_name
- SEARCH_TYPE: EQ
- SEARCH_VALUE: ServiceDll
-
- isExtended: False
- node: attributes
- SEARCH_FIELD: action_registry_data
- SEARCH_TYPE: REGEX_NOT
- SEARCH_VALUE: cryptsvc.dll
-
- isExtended: False
- node: attributes
- SEARCH_FIELD: action_registry_key_name
- SEARCH_TYPE: REGEX
- SEARCH_VALUE: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\d\d\d\Services\CryptSvc\Parameters
-
- isExtended: False
- node: attributes
- indicator_md5: 0186f58365c1a1c03da6e6ec2d052093
- indicator_text: Registry registry data !=~ cryptsvc.dll AND registry key name =~ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\d\d\d\Services\CryptSvc\Parameters AND registry value name = ServiceDll AND action type = set_registry_value Host host os = windows
- name: SCRT-Mr-D0x-XDR-Disable-chg-registry-value
- mitre_technique_id_and_name: T1562.001 - Impair Defenses: Disable or Modify Tools
- mitre_tactic_id_and_name:
- mitre_tactic_id:
- mitre_technique_id: T1562.001
-
- action: block
- friendlyName: SCRT-Mr-D0x-XDR-Disable-chg-registry-value
-
- 0: T1562.001
- biocRuleName: SCRT-Mr-D0x-XDR-Disable-chg-registry-value
- biocId: 520
- additionalData: {}
- rule_data: (deftemplate registry_operation_520 (slot cid)) (defrule registry_operation_520 (registry_operation (hive ?hive) (sub_type ?sub_type) (key_name ?key_name) (value ?value) (cid ?cid) (value_name ?value_name &: (and (eq ?sub_type ?reg_set_value) (eq ?value_name "servicedll") (not (regex ?value "cryptsvc.dll" 0)) (and (regex ?key_name "\system\\controlset\d\d\d\\services\\cryptsvc\\parameters" 0) (eq ?hive ?hklm))))) (not (registry_operation_520 (cid ?cid))) => (assert (registry_operation_520 (cid ?cid))))
- btp_rule_name: registry_operation_520
- is_preventable: 1
- supported_os: 1
- btp_validation_error: WINDOWS_SUPPORT_ONLY
- xql: None
- is_xql: False
- query_tables: None
- rule_id: 387
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1683118009481
- modify_time: 1683797390193
- severity: SEV_030_MEDIUM
- source: frank.bussink@e-xpertsolutions.com
- comment: The StorSvc.dll!SvcRebootToFlashingMode RPC method, calls StorSvc.dll!InitResetPhone which also calls StorSvc.dll!ResetPhoneWorkerCallback, that tries to load SprintCSP.dll. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the StorSvc process runs under NT AUTHORITY\SYSTEM.
- status: ENABLED
- category: PRIVILEGE_ESCALATION
-
- runOnCGO: False
- investigationType: FILE_EVENT
-
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 1
- isExtended: False
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 3
- isExtended: False
- SEARCH_FIELD: event_sub_type
- SEARCH_TYPE: EQ
- SEARCH_VALUE: 6
- isExtended: False
- SEARCH_FIELD: action_file_name
- SEARCH_TYPE: EQ
- SEARCH_VALUE: SprintCSP.dll
-
- isExtended: False
- node: attributes
- indicator_md5: f8103c0bb88607a5d23e9c7d1d9adc30
- indicator_text: File action type = create, rename, write AND file name = SprintCSP.dll
- name: SprintCSP.dll created to disk (StorSvc LPE)
- mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
- mitre_tactic_id_and_name: TA0004 - Privilege Escalation
- mitre_tactic_id: TA0004
- mitre_technique_id: T1574.001
-
- action: block
- friendlyName: SprintCSP.dll created to disk (StorSvc LPE)
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SprintCSP.dll created to disk (StorSvc LPE)
- biocId: 387
- additionalData: {}
- rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq ?file_name "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))
-
- action: block
- friendlyName: SprintCSP.dll created to disk (StorSvc LPE)
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SprintCSP.dll created to disk (StorSvc LPE)
- biocId: 387
- additionalData: {}
- rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq ?file_name "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))
-
- action: block
- friendlyName: SprintCSP.dll created to disk (StorSvc LPE)
-
- 0: TA0004
-
- 0: T1574.001
- biocRuleName: SprintCSP.dll created to disk (StorSvc LPE)
- biocId: 387
- additionalData: {}
- rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?file_create_new) (eq ?sub_type ?file_rename) (eq ?sub_type ?file_write)) (eq (lowcase ?file_name) "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))
- btp_rule_name: file_operation_387
- is_preventable: 1
- supported_os: 7
- btp_validation_error: None
- xql: None
- is_xql: False
- query_tables: None
- rule_indicator_last_modified_ts: 1683118009481
- rule_id: 402
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1699031533674
- modify_time: 1699031601221
- severity: SEV_030_MEDIUM
- source: frank.bussink@swissexpertgroup.com
- comment:
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: 11dc07e8da51f64c7d0581cc08c7d588
- indicator_text: dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter causality_actor_process_signature_vendor CONTAINS "microsoft" // Only keep cmd.exe or powershell etc...
| alter cmd= action_process_image_command_line // use small length var name
| filter cmd CONTAINS "C:\Windows\NTDS\ntds.dit" or cmd CONTAINS "C:\Windows\System32\config\SYSTEM" or cmd CONTAINS "C:\Windows\System32\config\SAM"
- name: BIOC-suspicious-command-line to Critical registry and NTDS file
- mitre_technique_id_and_name: T1003 - OS Credential Dumping
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: 0
- btp_validation_error: UNSUPPORTED_XQL
- xql: {"stages":[{"FILTER":{"filter":{"OR":[{"LEFT":"$event_type","OPERATOR":"EQ","RIGHT":"$ENUM.PROCESS","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}},{"FILTER":{"filter":{"OR":[{"LEFT":"$causality_actor_process_signature_vendor","OPERATOR":"CONTAINS","RIGHT":"microsoft","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}},{"ADD_FIELDS":{"fields":[{"name":"cmd","source":"$action_process_image_command_line"}]}},{"FILTER":{"filter":{"OR":[{"OR":[{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\Windows\NTDS\ntds.dit","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"},{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\Windows\System32\config\SYSTEM","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]},{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\Windows\System32\config\SAM","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}}],"original_query":null,"tables":["xdr_data"]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1699031533674
- status_changed_by: None
- status_changed_at: None
- last_status_change_reason: None
- rule_id: 392
- global_rule_id: NO_ID
- mssp_global_rule_id: None
- insert_time: 1684329642854
- modify_time: 1684329724525
- severity: SEV_040_HIGH
- source: frank.bussink@e-xpertsolutions.com
- comment: Tttracer is a Windows tool which can trace memory on any process. Here it was injected into LSASS, which is highly suspicious except in case of troubleshooting with Microsoft
- status: ENABLED
- category: CREDENTIAL_ACCESS
- indicator: None
- indicator_md5: 794b6fd75a9fce80e01417d11131152f
- indicator_text: preset = xdr_injection
| filter (action_remote_process_image_name = "lsass.exe")
| filter (actor_process_image_name = "ttdinject.exe")
- name: BIOC-TTTracer on LSASS
- mitre_technique_id_and_name: T1003.001 - OS Credential Dumping: LSASS Memory
- mitre_tactic_id_and_name: TA0006 - Credential Access
- mitre_tactic_id: TA0006
- mitre_technique_id: T1003.001
- btp_rule: None
- btp_rule_name: None
- is_preventable: 0
- supported_os: 0
- btp_validation_error: UNSUPPORTED_XQL
- xql: {"presets": ["xdr_injection"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$action_remote_process_image_name", "OPERATOR": "EQ", "RIGHT": "lsass.exe", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$actor_process_image_name", "OPERATOR": "EQ", "RIGHT": "ttdinject.exe", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]}
- is_xql: True
- query_tables: ["xdr_data"]
- rule_indicator_last_modified_ts: 1684329642854