diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 59ac2269a3c..e65d695c528 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -26,8 +26,6 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.2 c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe 69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .* ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote- -cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$ -7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/deprecated/windows/posh_ps_dnscat_execution.yml similarity index 85% rename from rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml rename to deprecated/windows/posh_ps_dnscat_execution.yml index 2b27478f21e..b28d7bbd60d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/deprecated/windows/posh_ps_dnscat_execution.yml @@ -1,10 +1,10 @@ title: Dnscat Execution id: a6d67db4-6220-436d-8afc-f3842fe05d43 -status: test +status: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules description: Dnscat exfiltration tool execution author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2022/12/25 +modified: 2024/01/25 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml b/deprecated/windows/win_system_susp_sam_dump.yml similarity index 94% rename from rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml rename to deprecated/windows/win_system_susp_sam_dump.yml index 84b793271c5..873b5c638f7 100644 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml +++ b/deprecated/windows/win_system_susp_sam_dump.yml @@ -1,10 +1,10 @@ title: SAM Dump to AppData id: 839dd1e8-eda8-4834-8145-01beeee33acd -status: test +status: deprecated description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers author: Florian Roth (Nextron Systems) date: 2018/01/27 -modified: 2023/04/30 +modified: 2024/01/18 tags: - attack.credential_access - attack.t1003.002 diff --git a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml old mode 100755 new mode 100644 similarity index 73% rename from rules/network/firewall/net_firewall_apt_equationgroup_c2.yml rename to rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index 16eb048d44d..fbf7da355f5 --- a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -12,18 +12,18 @@ tags: - attack.command_and_control - attack.g0020 - attack.t1041 + - detection.emerging_threats logsource: category: firewall detection: - select_outgoing: - dst_ip: - - '69.42.98.86' - - '89.185.234.145' - select_incoming: - src_ip: - - '69.42.98.86' - - '89.185.234.145' - condition: 1 of select* + selection: + - dst_ip: + - '69.42.98.86' + - '89.185.234.145' + - src_ip: + - '69.42.98.86' + - '89.185.234.145' + condition: selection falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 379c53f74c4..6d466fe3e1f 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -6,6 +6,9 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: CISA date: 2023/12/18 +tags: + - attack.defense_evasion + - attack.t1574.002 logsource: category: image_load product: windows diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 7bb43c8ce9c..13a8d1c7a81 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -2,6 +2,8 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf status: test description: Detects interactive console logons to Server Systems +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/17 modified: 2023/12/15 @@ -22,10 +24,10 @@ detection: ComputerName|expand: - '%ServerSystems%' - '%DomainControllers%' - filter_main: + filter_main_advapi: LogonProcessName: 'Advapi' ComputerName|expand: '%Workstations%' - condition: selection and not filter_main + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity via KVM or ILO board level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml similarity index 62% rename from rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index 84912f31391..a6069d00a68 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -1,13 +1,17 @@ -title: Execution in Webserver Root Folder +title: Execution From Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d status: test -description: Detects a suspicious program execution in a web service root folder (filter out false positives) +description: | + Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2019/01/16 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.persistence - attack.t1505.003 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -17,16 +21,13 @@ detection: - '\wwwroot\' - '\wmpub\' - '\htdocs\' - filter: + filter_main_generic: Image|contains: - 'bin\' - '\Tools\' - '\SMSComponent\' ParentImage|endswith: '\services.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Various applications - Tools that include ping or nslookup command invocations diff --git a/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml index 53e4af697b9..be399292008 100644 --- a/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml @@ -1,27 +1,30 @@ -title: Exfiltration and Tunneling Tools Execution +title: Tunneling Tool Execution id: c75309a3-59f8-4a8d-9c2c-4c927ad50555 status: test -description: Execution of well known tools for data exfiltration and tunneling +description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling. author: Daniil Yugoslavskiy, oscd.community +references: + - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ date: 2019/10/24 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.exfiltration - attack.command_and_control - attack.t1041 - attack.t1572 - attack.t1071.001 + - detection.threat_hunting logsource: category: process_creation product: windows detection: selection: Image|endswith: + - '\httptunnel.exe' - '\plink.exe' - '\socat.exe' - '\stunnel.exe' - - '\httptunnel.exe' condition: selection falsepositives: - - Legitimate Administrator using tools + - Legitimate administrators using one of these tools level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml similarity index 81% rename from rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index 036b0b1740d..d8f7b21ddfc 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -3,8 +3,13 @@ id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - id: 23250293-eed5-4c39-b57a-841c8933a57d type: obsoletes + - id: cea72823-df4d-4567-950c-0b579eaf0846 + type: derived status: test description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://redcanary.com/blog/gootloader/ author: Michael Haag date: 2019/01/16 modified: 2023/05/15 @@ -12,6 +17,7 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 + - detection.threat_hunting logsource: category: process_creation product: windows diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml index c5628267147..ea3d2e7b330 100644 --- a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml +++ b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml @@ -2,6 +2,8 @@ title: AWS Config Disabling Channel/Recorder id: 07330162-dba1-4746-8121-a9647d49d297 status: test description: Detects AWS Config Service disabling +references: + - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html author: vitaliy0x1 date: 2020/01/21 modified: 2022/10/09 @@ -12,12 +14,12 @@ logsource: product: aws service: cloudtrail detection: - selection_source: - eventSource: config.amazonaws.com + selection: + eventSource: 'config.amazonaws.com' eventName: - - DeleteDeliveryChannel - - StopConfigurationRecorder - condition: selection_source + - 'DeleteDeliveryChannel' + - 'StopConfigurationRecorder' + condition: selection falsepositives: - Valid change in AWS Config Service level: high diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 0cffb48f905..c060324cadf 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -9,6 +9,8 @@ references: author: Austin Songer @austinsonger date: 2021/09/12 modified: 2022/10/09 +tags: + - attack.command_and_control logsource: product: okta service: okta diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index dc968a6d0f6..f17099bb5ae 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -2,8 +2,8 @@ title: Default Credentials Usage id: 1a395cbc-a84a-463a-9086-ed8a70e573c7 status: stable description: | - Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. - Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. + Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. + Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -11,7 +11,8 @@ references: - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 -# tags: +tags: + - attack.initial_access # - CSC4 # - CSC4.2 # - NIST CSF 1.1 PR.AC-4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index 937f3be6479..cbcda8ea153 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -12,7 +12,8 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2022/11/18 -# tags: +tags: + - attack.credential_access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index 39052a78637..caa3385bade 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -2,6 +2,8 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 status: test description: Detects suspicious log entries in Linux log files +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml author: Florian Roth (Nextron Systems) date: 2017/03/25 modified: 2021/11/27 @@ -12,11 +14,11 @@ logsource: detection: keywords: # Generic suspicious log lines - - entered promiscuous mode + - 'entered promiscuous mode' # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml - - Deactivating service - - Oversized packet received from - - imuxsock begins to drop messages + - 'Deactivating service' + - 'Oversized packet received from' + - 'imuxsock begins to drop messages' condition: keywords falsepositives: - Unknown diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 96611b50ea0..e32eba875c4 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -2,6 +2,9 @@ title: Cisco Clear Logs id: ceb407f6-8277-439b-951f-e4210e3ed956 status: test description: Clear command history in network OS which is used for defense evasion +references: + - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html + - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 author: Austin Clark date: 2019/08/12 modified: 2023/05/26 @@ -16,12 +19,6 @@ detection: - 'clear logging' - 'clear archive' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Legitimate administrators may run these commands level: high diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 7e00356ca85..a735063db82 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -2,6 +2,10 @@ title: Cisco Collect Data id: cd072b25-a418-4f98-8ebc-5093fb38fe1a status: test description: Collect pertinent data from the configuration files +references: + - https://blog.router-switch.com/2013/11/show-running-config/ + - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html author: Austin Clark date: 2019/08/11 modified: 2023/01/04 @@ -22,12 +26,6 @@ detection: - 'show archive config' - 'more' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Commonly run by administrators level: low diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index ee51db55f82..3485e200ea1 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -2,6 +2,8 @@ title: Cisco Crypto Commands id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d status: test description: Show when private keys are being exported from the device, or when new certificates are installed +references: + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html author: Austin Clark date: 2019/08/12 modified: 2023/01/04 @@ -19,12 +21,6 @@ detection: - 'crypto pki import' - 'crypto pki trustpoint' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Not commonly run by administrators. Also whitelist your known good certificates level: high diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 7ff07143bcf..06711af2975 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -2,6 +2,8 @@ title: Cisco Disabling Logging id: 9e8f6035-88bf-4a63-96b6-b17c0508257e status: test description: Turn off logging locally or remote +references: + - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf author: Austin Clark date: 2019/08/11 modified: 2023/01/04 diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index 970e34df7ed..5d657406737 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -2,6 +2,8 @@ title: Cisco Discovery id: 9705a6a1-6db6-4a16-a987-15b7151e299b status: test description: Find information about network devices that is not stored in config files +references: + - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html author: Austin Clark date: 2019/08/12 modified: 2023/01/04 @@ -22,23 +24,17 @@ logsource: detection: keywords: - 'dir' - - 'show processes' - 'show arp' - 'show cdp' - - 'show version' - - 'show ip route' + - 'show clock' - 'show ip interface' + - 'show ip route' - 'show ip sockets' - - 'show users' + - 'show processes' - 'show ssh' - - 'show clock' + - 'show users' + - 'show version' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Commonly used by administrators for troubleshooting level: low diff --git a/rules/network/firewall/net_firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml index 96f24d71b8b..6bc0432ed35 100644 --- a/rules/network/firewall/net_firewall_cleartext_protocols.yml +++ b/rules/network/firewall/net_firewall_cleartext_protocols.yml @@ -2,8 +2,8 @@ title: Cleartext Protocol Usage id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e status: stable description: | - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. - Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. + Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. + Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -11,7 +11,8 @@ references: author: Alexandr Yampolskyi, SOC Prime, Tim Shelton date: 2019/03/26 modified: 2022/10/10 -# tags: +tags: + - attack.credential_access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 7a1e1801f35..63b86335244 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -5,7 +5,9 @@ related: type: derived status: test description: Detects known sensitive file extensions via Zeek -author: 'Samir Bousseaden, @neu5ron' +references: + - Internal Research +author: Samir Bousseaden, @neu5ron date: 2020/04/02 modified: 2021/11/27 tags: @@ -29,11 +31,6 @@ detection: - '\groups.xml' - '.rdp' condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName falsepositives: - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml index c1ababf5557..e405b04f6d3 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml @@ -5,6 +5,8 @@ related: type: similar status: test description: Detects executable downloads from suspicious remote systems +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/13 modified: 2023/05/18 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index 587410b1da9..043b61f6284 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -2,6 +2,8 @@ title: Bitsadmin to Uncommon IP Server Address id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3 status: test description: Detects Bitsadmin connections to IP addresses instead of FQDN names +references: + - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 author: Florian Roth (Nextron Systems) date: 2022/06/10 modified: 2022/08/24 diff --git a/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml b/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml index 21db1974adc..bcecae99053 100644 --- a/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml +++ b/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml @@ -2,6 +2,8 @@ title: Ursnif Malware Download URL Pattern id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 status: stable description: Detects download of Ursnif malware done by dropper documents. +references: + - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware author: Thomas Patzke date: 2019/12/19 modified: 2022/08/15 @@ -18,11 +20,6 @@ detection: c-uri|endswith: '.cab' sc-status: 200 condition: selection -fields: - - c-ip - - c-uri - - sc-bytes - - c-ua falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml index fd4c7c08231..4f6bd8c47c0 100644 --- a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -2,6 +2,9 @@ title: Application Uninstalled id: 570ae5ec-33dc-427c-b815-db86228ad43e status: test description: An application has been removed. Check if it is critical. +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml + - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging author: frack113 date: 2022/01/28 modified: 2022/09/17 @@ -15,8 +18,8 @@ detection: selection: Provider_Name: 'MsiInstaller' EventID: - - 11724 - - 1034 + - 1034 # Windows Installer removed the product + - 11724 # Product Removal Successful condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index fbe6072f948..5d022a9ce8b 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -1,7 +1,9 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 status: test -description: A login from a public IP can indicate a misconfigured firewall or network boundary. +description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 author: NVISO date: 2020/05/06 modified: 2023/01/11 @@ -17,9 +19,9 @@ logsource: detection: selection: EventID: 4625 - filter_ip_unknown: + filter_main_ip_unknown: IpAddress|contains: '-' - filter_ip_privatev4: + filter_main_ip_privatev4: IpAddress|startswith: - '10.' # 10.0.0.0/8 - '192.168.' # 192.168.0.0/16 @@ -41,12 +43,12 @@ detection: - '172.31.' - '127.' # 127.0.0.0/8 - '169.254.' # 169.254.0.0/16 - filter_ip_privatev6: + filter_main_ip_privatev6: - IpAddress: '::1' # loopback - IpAddress|startswith: - 'fe80::' # link-local - 'fc00::' # unique local - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate logon attempts over the internet - IPv4-to-IPv6 mapped IPs diff --git a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml index 98835de023f..d96c2bc0751 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml @@ -1,9 +1,12 @@ -title: Login with WMI +title: Successful Account Login Via WMI id: 5af54681-df95-4c26-854f-2565e13cfab0 status: stable -description: Detection of logins performed with WMI +description: Detects successful logon attempts performed with WMI +references: + - Internal Research author: Thomas Patzke date: 2019/12/04 +modified: 2024/01/17 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index be2c750a788..d2f98537e14 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -1,24 +1,26 @@ -title: Access to ADMIN$ Share +title: Access To ADMIN$ Network Share id: 098d7118-55bc-4912-a836-dc6483a8d150 status: test -description: Detects access to $ADMIN share +description: Detects access to ADMIN$ network share +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 author: Florian Roth (Nextron Systems) date: 2017/03/04 -modified: 2021/11/27 +modified: 2024/01/16 tags: - attack.lateral_movement - attack.t1021.002 logsource: product: windows service: security - definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' + definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' detection: selection: EventID: 5140 - ShareName: Admin$ - filter: + ShareName: 'Admin$' + filter_main_computer_account: SubjectUserName|endswith: '$' - condition: selection and not filter + condition: selection and not 1 of filter_* falsepositives: - Legitimate administrative activity level: low diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 0afc80f5a18..8203b0b3503 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -3,6 +3,9 @@ id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable description: | Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281 author: Thomas Patzke date: 2019/12/03 modified: 2023/12/13 diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index 5f1e15eda47..fcaea36e0bd 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -1,10 +1,12 @@ -title: External Disk Drive Or USB Storage Device +title: External Disk Drive Or USB Storage Device Was Recognized By The System id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 status: test description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 author: Keith Wright date: 2019/11/20 -modified: 2022/10/09 +modified: 2024/01/16 tags: - attack.t1091 - attack.t1200 @@ -14,12 +16,12 @@ logsource: product: windows service: security detection: - selection: + selection_disk: EventID: 6416 ClassName: 'DiskDrive' - selection2: + selection_usb: DeviceDescription: 'USB Mass Storage Device' - condition: selection or selection2 + condition: 1 of selection_* falsepositives: - - Legitimate administrative activity + - Likely level: low diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml index 5892a727ab7..227f3f32e08 100644 --- a/rules/windows/builtin/security/win_security_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_security_hidden_user_creation.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Christian Burkard (Nextron Systems) date: 2021/05/03 -modified: 2022/10/09 +modified: 2024/01/16 tags: - attack.persistence - attack.t1136.001 @@ -17,7 +17,9 @@ detection: selection: EventID: 4720 TargetUserName|endswith: '$' - condition: selection + filter_main_homegroup: + TargetUserName: 'HomeGroupUser$' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/security/win_security_metasploit_authentication.yml b/rules/windows/builtin/security/win_security_metasploit_authentication.yml index c0fed31e8f7..77fc9441327 100644 --- a/rules/windows/builtin/security/win_security_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_security_metasploit_authentication.yml @@ -6,7 +6,7 @@ references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 -modified: 2022/10/09 +modified: 2024/01/25 tags: - attack.lateral_movement - attack.t1021.002 @@ -22,7 +22,6 @@ detection: AuthenticationPackageName: 'NTLM' WorkstationName|re: '^[A-Za-z0-9]{16}$' selection2: - ProcessName: EventID: 4776 Workstation|re: '^[A-Za-z0-9]{16}$' condition: 1 of selection* diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index 2cb0b5bbeb5..aea6eff2f1f 100644 --- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -1,10 +1,13 @@ -title: New or Renamed User Account with '$' in Attribute 'SamAccountName' +title: New or Renamed User Account with '$' Character id: cfeed607-6aa4-4bbd-9627-b637deb723c8 status: test -description: Detects possible bypass EDR and SIEM via abnormal user account name. +description: | + Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms. +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 author: Ilyas Ochkov, oscd.community date: 2019/10/25 -modified: 2022/11/22 +modified: 2024/01/16 tags: - attack.defense_evasion - attack.t1036 @@ -12,18 +15,16 @@ logsource: product: windows service: security detection: - selection1: + selection_create: EventID: 4720 # create user SamAccountName|contains: '$' - selection2: + selection_rename: EventID: 4781 # rename user NewTargetUserName|contains: '$' - condition: 1 of selection* -fields: - - EventID - - SamAccountName - - SubjectUserName - - NewTargetUserName + filter_main_homegroup: + EventID: 4720 + TargetUserName: 'HomeGroupUser$' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 3bb39b22743..e9b47576efe 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -9,7 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html - https://www.x86matthew.com/view_post?id=create_svc_rpc - https://twitter.com/SBousseaden/status/1490608838701166596 -author: Tim Rauch (Nextron Systems), Elastic +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/15 modified: 2023/01/04 tags: diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index fdf8a276864..41fb8d1eaca 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -1,9 +1,12 @@ -title: Addition of Domain Trusts +title: A New Trust Was Created To A Domain id: 0255a820-e564-4e40-af2b-6ac61160335c status: stable description: Addition of domains is seldom and should be verified for legitimacy. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 author: Thomas Patzke date: 2019/12/03 +modified: 2024/01/16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index 0164af360dd..5ef3041be28 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -1,10 +1,12 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 status: test -description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 author: Florian Roth (Nextron Systems) date: 2017/02/10 -modified: 2021/11/27 +modified: 2024/01/16 tags: - attack.credential_access - attack.t1212 @@ -18,7 +20,7 @@ detection: - 4768 - 4769 - 4771 - FailureCode: + Status: - '0x9' - '0xA' - '0xB' diff --git a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml index aa02d0704d4..4d1fad92a16 100644 --- a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -5,6 +5,8 @@ related: type: similar status: test description: Detects known sensitive file extensions accessed on a network share +references: + - Internal Research author: Samir Bousseaden date: 2019/04/03 modified: 2022/10/09 @@ -18,24 +20,19 @@ detection: selection: EventID: 5145 RelativeTargetName|endswith: - - '.pst' - - '.ost' - - '.msg' - - '.nst' - - '.oab' - - '.edb' - - '.nsf' - '.bak' - '.dmp' + - '.edb' - '.kirbi' - - '\groups.xml' + - '.msg' + - '.nsf' + - '.nst' + - '.oab' + - '.ost' + - '.pst' - '.rdp' + - '\groups.xml' condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName falsepositives: - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index 8be8889b3e4..ff65a76a6c1 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -4,7 +4,10 @@ related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 type: derived status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +description: | + Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques. +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/11/29 @@ -14,12 +17,12 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 + definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697' detection: selection: EventID: 4697 ServiceFileName|contains: 'tap0901' condition: selection falsepositives: - - Legitimate OpenVPN TAP insntallation -level: medium + - Legitimate OpenVPN TAP installation +level: low diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index 70b83aea0ea..7fabb7badee 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -1,7 +1,10 @@ -title: User Added to Local Administrators +title: User Added to Local Administrator Group id: c265cf08-3f99-46c1-8d59-328247057d57 status: stable -description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity +description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 + - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers author: Florian Roth (Nextron Systems) date: 2017/03/14 modified: 2021/01/17 @@ -14,15 +17,14 @@ logsource: product: windows service: security detection: - selection: + selection_eid: EventID: 4732 - selection_group1: - TargetUserName|startswith: 'Administr' - selection_group2: - TargetSid: 'S-1-5-32-544' - filter: + selection_group: + - TargetUserName|startswith: 'Administr' + - TargetSid: 'S-1-5-32-544' + filter_main_computer_accounts: SubjectUserName|endswith: '$' - condition: selection and (1 of selection_group*) and not filter + condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate administrative activity level: medium diff --git a/rules/windows/builtin/security/win_security_user_creation.yml b/rules/windows/builtin/security/win_security_user_creation.yml index 1748014e3fc..78d7ba34d5e 100644 --- a/rules/windows/builtin/security/win_security_user_creation.yml +++ b/rules/windows/builtin/security/win_security_user_creation.yml @@ -1,7 +1,8 @@ title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea status: test -description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. +description: | + Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss @@ -17,10 +18,6 @@ detection: selection: EventID: 4720 condition: selection -fields: - - EventCode - - AccountName - - AccountDomain falsepositives: - Domain Controller Logs - Local accounts managed by privileged account management tools diff --git a/rules/windows/builtin/security/win_security_user_logoff.yml b/rules/windows/builtin/security/win_security_user_logoff.yml index 1d579621ba6..e85b1cd0449 100644 --- a/rules/windows/builtin/security/win_security_user_logoff.yml +++ b/rules/windows/builtin/security/win_security_user_logoff.yml @@ -8,6 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647 author: frack113 date: 2022/10/14 +tags: + - attack.impact + - attack.t1531 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml index 1db698df768..228c87f6808 100644 --- a/rules/windows/builtin/security/win_security_workstation_was_locked.yml +++ b/rules/windows/builtin/security/win_security_workstation_was_locked.yml @@ -10,7 +10,8 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2023/12/11 -# tags: +tags: + - attack.impact # - CSC16 # - CSC16.11 # - ISO27002-2013 A.9.1.1 diff --git a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml index b26250899b4..65e23658907 100644 --- a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml @@ -1,9 +1,12 @@ -title: Sysmon Crash +title: Sysmon Application Crashed id: 4d7f1827-1637-4def-8d8a-fd254f9454df status: test description: Detects application popup reporting a failure of the Sysmon service +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36 author: Tim Shelton date: 2022/04/26 +modified: 2024/01/17 tags: - attack.defense_evasion - attack.t1562 @@ -14,7 +17,9 @@ detection: selection: Provider_Name: 'Application Popup' EventID: 26 - Caption: 'sysmon64.exe - Application Error' + Caption: + - 'sysmon64.exe - Application Error' + - 'sysmon.exe - Application Error' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml deleted file mode 100644 index 2f6594cdc79..00000000000 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: QuarksPwDump Clearing Access History -id: 39f919f3-980b-4e6f-a975-8af7e507ef2b -status: test -description: Detects QuarksPwDump clearing access history in hive -author: Florian Roth (Nextron Systems) -date: 2017/05/15 -modified: 2022/04/14 -tags: - - attack.credential_access - - attack.t1003.002 -logsource: - product: windows - service: system -detection: - selection: - EventID: 16 - Provider_Name: Microsoft-Windows-Kernel-General - HiveName|contains: '\AppData\Local\Temp\SAM' - HiveName|endswith: '.dmp' - condition: selection -falsepositives: - - Unknown -level: critical diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml new file mode 100644 index 00000000000..b102505ba2b --- /dev/null +++ b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml @@ -0,0 +1,32 @@ +title: Critical Hive In Suspicious Location Access Bits Cleared +id: 39f919f3-980b-4e6f-a975-8af7e507ef2b +related: + - id: 839dd1e8-eda8-4834-8145-01beeee33acd + type: obsoletes +status: test +description: | + Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. + This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). + Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior. +references: + - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md +author: Florian Roth (Nextron Systems) +date: 2017/05/15 +modified: 2024/01/18 +tags: + - attack.credential_access + - attack.t1003.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 16 + Provider_Name: Microsoft-Windows-Kernel-General + HiveName|contains: + - '\Temp\SAM' + - '\Temp\SECURITY' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index 8371db7ffec..eab993b0d42 100644 --- a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -1,7 +1,10 @@ title: Windows Update Error id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59 status: stable -description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed. +description: | + Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed. +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml author: frack113 date: 2021/12/04 modified: 2023/09/07 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index 4428ac09abe..f1f6aa13642 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -7,7 +7,7 @@ status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html -author: Tim Rauch (Nextron Systems), Elastic +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/15 modified: 2023/01/04 tags: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml index 3252a517846..a945fed5ca1 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious service installation commands +references: + - Internal Research author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) date: 2022/03/18 modified: 2023/12/04 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml index ed85623e60d..940b6985013 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml @@ -2,6 +2,8 @@ title: Tap Driver Installation id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/12/25 @@ -18,5 +20,5 @@ detection: ImagePath|contains: 'tap0901' condition: selection falsepositives: - - Legitimate OpenVPN TAP insntallation + - Legitimate OpenVPN TAP installation level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml index fe1a752fdbb..91dbb0e65b8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml @@ -1,4 +1,4 @@ -title: Uncommon Service Installation +title: Uncommon Service Installation Image Path id: 26481afe-db26-4228-b264-25a29fe6efc7 related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 @@ -6,7 +6,10 @@ related: - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b type: derived status: test -description: Detects uncommon service installation commands +description: | + Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc. +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/18 modified: 2023/12/04 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml index 6a2d6728731..1300592fcac 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml @@ -3,8 +3,10 @@ id: 5e993621-67d4-488a-b9ae-b420d08b96cb status: test description: Detects service installation in suspicious folder appdata author: pH-T (Nextron Systems) +references: + - Internal Research date: 2022/03/18 -modified: 2022/10/12 +modified: 2024/01/18 tags: - attack.persistence - attack.privilege_escalation @@ -17,15 +19,14 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - selection_suspicious1: ImagePath|contains: - '\AppData\' - '\\\\127.0.0.1' - '\\\\localhost' - filter_zoom: + filter_optional_zoom: ServiceName: 'Zoom Sharing Service' - ImagePath|startswith: '"C:\Program Files\Common Files\Zoom\Support\CptService.exe' - condition: all of selection* and not 1 of filter* + ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe' + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml index afa79606d67..410d9b36f6f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml @@ -2,6 +2,8 @@ title: Service Installation with Suspicious Folder Pattern id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2 status: test description: Detects service installation with suspicious folder patterns +references: + - Internal Research author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/03/24 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml index 316802e1d86..6785a6d392d 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml @@ -2,6 +2,8 @@ title: Suspicious Service Installation Script id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a status: test description: Detects suspicious service installation scripts +references: + - Internal Research author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/11/18 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index b5e8b88903c..95cd96d8e1f 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -6,7 +6,10 @@ related: - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar status: test -description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +description: | + Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +references: + - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ author: frack113 date: 2023/01/13 modified: 2023/02/07 diff --git a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml index 2c7753343e0..2e285226b16 100644 --- a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml @@ -2,6 +2,8 @@ title: Driver Load From A Temporary Directory id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 status: test description: Detects a driver load from a temporary directory +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/02/12 modified: 2021/11/27 diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 1cc4cb59301..08eaddcd086 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -7,7 +7,7 @@ status: test description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html -author: Tim Rauch (Nextron Systems) +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/27 tags: - attack.initial_access diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 2b80ce6553c..3e85e23c44f 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -2,9 +2,12 @@ title: Prefetch File Deleted id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: test description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence +references: + - Internal Research + - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ author: Cedric MAURUGEON date: 2021/09/29 -modified: 2023/02/15 +modified: 2024/01/25 tags: - attack.defense_evasion - attack.t1070.004 @@ -13,14 +16,14 @@ logsource: category: file_delete detection: selection: - TargetFilename|startswith: 'C:\Windows\Prefetch\' + TargetFilename|contains: ':\Windows\Prefetch\' TargetFilename|endswith: '.pf' - filter: - Image: 'C:\windows\system32\svchost.exe' + filter_main_svchost: + Image|endswith: ':\windows\system32\svchost.exe' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index c55ae88bd35..1cca90ad550 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -7,7 +7,7 @@ status: test description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html -author: Tim Rauch (Nextron Systems) +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/27 modified: 2023/02/15 tags: diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 983af1f6173..a425bd0fd24 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -1,7 +1,10 @@ title: Files With System Process Name In Unsuspected Locations id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d status: test -description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). +description: | + Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). +references: + - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 modified: 2023/11/10 diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 586c9307f4a..ab1167ac92c 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.t1059.001 @@ -52,6 +52,7 @@ detection: - '\Copy-VSS.ps1' - '\Create-MultipleSessions.ps1' - '\DNS_TXT_Pwnage.ps1' + - '\dnscat2.ps1' - '\Do-Exfiltration.ps1' - '\DomainPasswordSpray.ps1' - '\Download_Execute.ps1' diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index 27662b78307..7c28e374434 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -3,6 +3,8 @@ id: 52753ea4-b3a0-4365-910d-36cff487b789 status: test description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder author: Samir Bousseaden +references: + - Internal Research date: 2019/02/21 modified: 2021/11/27 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 67a3c7e8897..091b8e453dd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -25,8 +25,9 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/23 +modified: 2024/01/25 tags: - attack.execution - attack.t1059.001 @@ -48,6 +49,7 @@ detection: - 'Copy-VSS.ps1' - 'Create-MultipleSessions.ps1' - 'DNS_TXT_Pwnage.ps1' + - 'dnscat2.ps1' - 'Do-Exfiltration.ps1' - 'DomainPasswordSpray.ps1' - 'Download_Execute.ps1' diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 7f38e48ff26..03375b4ec88 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/20 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -236,6 +236,7 @@ detection: - 'Set-Wallpaper' - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' condition: selection diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 1741a9b7982..ca747ba77c9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -24,7 +24,6 @@ detection: filter_pwsh_archive: ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' condition: selection and not 1 of filter_* - falsepositives: - Legitimate use remote PowerShell sessions level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 66054fa1f2e..c9731f4b999 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -5,6 +5,9 @@ related: type: derived status: test description: Detects suspicious PowerShell download command +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2023/01/20 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5b22d096c4e..9859cbf492a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index e3e58c6b491..1d4efbe0458 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 91ca9fc50ea..c09dd22f05f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -32,7 +32,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 -modified: 2023/11/22 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -226,6 +226,7 @@ detection: - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' # - 'Check-VM' diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index a32f845fc79..bf32622be1a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -4,7 +4,7 @@ status: test description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index bf9d935aa02..9cfed3da8d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -5,6 +5,9 @@ related: type: derived status: test description: Detects suspicious PowerShell download command +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/02 @@ -21,7 +24,9 @@ detection: download: ScriptBlockText|contains: - '.DownloadFile(' + - '.DownloadFileAsync(' - '.DownloadString(' + - '.DownloadStringAsync(' condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index 72f1086106d..cc2a63ed517 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index a1b66299621..34266d9b0d5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 8bf849c51d5..7d65f5d126f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -7,7 +7,7 @@ status: test description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/16 modified: 2022/11/26 tags: diff --git a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml index 437a479b6cd..d0416d6cb7c 100644 --- a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml +++ b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml @@ -2,6 +2,8 @@ title: Potential Shellcode Injection id: 250ae82f-736e-4844-a68b-0b5e8cc887da status: test description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject +references: + - https://github.com/EmpireProject/PSInject author: Bhabesh Raj date: 2022/03/11 modified: 2023/11/29 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index b18ef284479..00145c3f718 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -1,14 +1,18 @@ title: Monitoring For Persistence Via BITS id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d status: test -description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded +description: | + BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. + When the job runs on the system the command specified in the BITS job will be executed. + This can be abused by actors to create a backdoor within the system and for persistence. + It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 author: Sreeman date: 2020/10/29 -modified: 2022/03/07 +modified: 2024/01/25 tags: - attack.defense_evasion - attack.t1197 @@ -16,24 +20,25 @@ logsource: product: windows category: process_creation detection: - selection_1: - CommandLine|contains|all: - - 'bitsadmin' - - '/SetNotifyCmdLine' + selection_img: + - Image|endswith: '\bitsadmin.exe' + - OriginalFileName: 'bitsadmin.exe' + selection_cli_notify_1: + CommandLine|contains: '/SetNotifyCmdLine' + selection_cli_notify_2: CommandLine|contains: - '%COMSPEC%' - 'cmd.exe' - 'regsvr32.exe' - selection_2: - CommandLine|contains|all: - - 'bitsadmin' - - '/Addfile' + selection_cli_add_1: + CommandLine|contains: '/Addfile' + selection_cli_add_2: CommandLine|contains: - 'http:' - 'https:' - 'ftp:' - 'ftps:' - condition: 1 of selection_* + condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index 4c6d3687d8e..f08878e392c 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/21 modified: 2023/12/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index cd0b375b769..562bbc76590 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 modified: 2023/03/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 1fb5aeb9362..09aef9696e4 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -4,7 +4,7 @@ status: test description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 0aa75b6341d..70b5088455a 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -2,6 +2,9 @@ title: DNS Exfiltration and Tunneling Tools Execution id: 98a96a5a-64a0-4c42-92c5-489da3866cb0 status: test description: Well-known DNS Exfiltration tools execution +references: + - https://github.com/iagox86/dnscat2 + - https://github.com/yarrick/iodine author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 modified: 2021/11/27 diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 2c3ec73f7b5..4c887aad820 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -4,7 +4,7 @@ status: test description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 modified: 2023/02/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index f3dd1379ad3..fdb367ab377 100644 --- a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -1,11 +1,12 @@ -title: Fake Instance Of Hxtsr.exe +title: Potential Fake Instance Of Hxtsr.EXE Executed id: 4e762605-34a8-406d-b72e-c1a089313320 status: test description: | HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". - Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe +references: + - Internal Research author: Sreeman date: 2020/04/17 modified: 2023/02/21 @@ -16,12 +17,13 @@ logsource: product: windows category: process_creation detection: + # TODO: Link this to the more generic system process rule selection: - Image: hxtsr.exe - filter: - CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_' + Image|endswith: '\hxtsr.exe' + filter_main_hxtsr: + CurrentDirectory|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_' CurrentDirectory|endswith: '\hxtsr.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 24b8c18b15f..386622722df 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ -author: Tim Rauch, Janantha Marasinghe +author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) date: 2022/11/08 modified: 2023/01/22 tags: diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 257b4e90bbe..2d7cff58fd4 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -4,7 +4,7 @@ status: test description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 299f7a56a84..76637ef15c9 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -5,9 +5,11 @@ related: type: similar status: experimental description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 -modified: 2023/11/09 +modified: 2024/01/18 tags: - attack.initial_access - attack.persistence @@ -20,7 +22,6 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\AppVLP.exe' - - '\bash.exe' - '\bitsadmin.exe' - '\certutil.exe' - '\cscript.exe' diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 0255a32e2f2..70e02fb6726 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -5,9 +5,11 @@ related: type: similar status: test description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 -modified: 2023/11/09 +modified: 2024/01/18 tags: - attack.initial_access - attack.persistence @@ -19,6 +21,7 @@ detection: selection: ParentImage|endswith: '\java.exe' Image|endswith: + - '\bash.exe' - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' diff --git a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml b/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml deleted file mode 100644 index 354cc6c765a..00000000000 --- a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: WScript or CScript Dropper -id: cea72823-df4d-4567-950c-0b579eaf0846 -status: test -description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community -date: 2019/01/16 -modified: 2021/11/27 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - CommandLine|contains: - - 'C:\Users\' - - 'C:\ProgramData\' - selection2: - CommandLine|contains: - - '.jse' - - '.vbe' - - '.js' - - '.vba' - - '.vbs' - falsepositive: - ParentImage|contains: '\winzip' - condition: selection1 and selection2 and not falsepositive -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Winzip - - Other self-extractors -level: high diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 4114b891d66..384920f5e15 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -5,6 +5,8 @@ related: type: obsoletes status: experimental description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +references: + - Internal Research author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2023/05/04 diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index fd74e1d76d6..9c77946d9d1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -4,7 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the "net" utility. +references: + - https://ss64.com/nt/net-service.html author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml index be17b11b8bb..28f64366897 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml @@ -1,8 +1,10 @@ -title: Execution in Outlook Temp Folder +title: Suspicious Execution From Outlook Temporary Folder id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 status: test description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth (Nextron Systems) +references: + - Internal Research date: 2019/10/01 modified: 2022/10/09 tags: @@ -15,9 +17,6 @@ detection: selection: Image|contains: '\Temporary Internet Files\Content.Outlook\' condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml index 10827a72545..422a3938975 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -1,4 +1,4 @@ -title: Potential RDP Tunneling Via SSH Plink +title: Potential RDP Tunneling Via Plink id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da related: - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe @@ -29,5 +29,5 @@ detection: - ' -P 22' condition: selection_a or all of selection_b* falsepositives: - - Administrative activity + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 2440573e39c..272d5d7d11c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -7,7 +7,7 @@ status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/14 modified: 2023/02/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index 12631131eca..195b3b0ea7f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -5,6 +5,10 @@ related: type: derived status: test description: Detects a Powershell process that contains download commands in its command line string +references: + - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html + - https://lab52.io/blog/winter-vivern-all-summer/ + - https://hatching.io/blog/powershell-analysis/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/01/26 @@ -31,9 +35,6 @@ detection: - 'string(' - 'file(' condition: all of selection_* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 3a676d2ea52..8d71f2ac77f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index be865cd0bfb..0c74b947205 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -235,6 +235,7 @@ detection: - 'Set-Wallpaper' - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index b045fe33b59..0685e8675cb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -10,7 +10,7 @@ description: Detects deletion of Windows Volume Shadow Copies with PowerShell co references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/20 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 0ffc735fa49..5653001de63 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -4,7 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index ceb02dd82b2..1ecfad9f274 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -1,10 +1,14 @@ title: Write Protect For Storage Disabled id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 status: test -description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +description: | + Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. + This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +references: + - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html author: Sreeman date: 2021/06/11 -modified: 2023/12/15 +modified: 2024/01/18 tags: - attack.defense_evasion - attack.t1562 @@ -17,9 +21,7 @@ detection: - '\System\CurrentControlSet\Control' - 'Write Protection' - '0' - CommandLine|contains: - 'storage' - - 'storagedevicepolicies' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index c843dc5037a..021b959aea8 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -4,9 +4,12 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the "sc.exe" utility +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11) author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 +modified: 2024/01/18 tags: - attack.impact - attack.t1489 @@ -19,14 +22,7 @@ detection: - Image|endswith: '\sc.exe' selection_cli: CommandLine|contains: ' stop ' - filter_kaspersky: - CommandLine: - - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop - - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly level: low diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml index 14c91908c3e..34f3bcc072c 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml @@ -1,10 +1,12 @@ -title: Scheduled Task Creation +title: Scheduled Task Creation Via Schtasks.EXE id: 92626ddd-662c-49e3-ac59-f6535f12d189 status: test -description: Detects the creation of scheduled tasks in user session +description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +references: + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Florian Roth (Nextron Systems) date: 2019/01/16 -modified: 2022/10/09 +modified: 2024/01/18 tags: - attack.execution - attack.persistence @@ -20,14 +22,11 @@ detection: selection: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' - filter: + filter_main_system_user: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index aede5ee403a..1a707053986 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -22,5 +22,5 @@ detection: CommandLine|contains: ':3389' condition: selection falsepositives: - - Administrative activity + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 4f2e2ab79b3..a5fce186694 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -7,7 +7,7 @@ status: test description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index bb098e72896..b02f0a5e640 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -4,7 +4,7 @@ status: test description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml similarity index 75% rename from rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml rename to rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml index 218f4e89859..7534759ac0d 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml @@ -1,14 +1,15 @@ -title: Sensitive Registry Access via Volume Shadow Copy +title: Sensitive File Access Via Volume Shadow Copy Backup id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d status: test -description: Detects a command that accesses password storing registry hives via volume shadow backups +description: | + Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 -modified: 2022/09/09 +modified: 2024/01/18 tags: - attack.impact - attack.t1490 @@ -25,8 +26,7 @@ detection: - '\\NTDS.dit' - '\\SYSTEM' - '\\SECURITY' - - 'C:\\tmp\\log' - condition: all of selection* + condition: all of selection_* falsepositives: - - Some rare backup scenarios + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 44107852eaa..7de9c1c0581 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -2,6 +2,8 @@ title: Uncommon Svchost Parent Process id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d status: test description: Detects an uncommon svchost parent process +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/08/15 modified: 2022/06/28 diff --git a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml index 77a18b175e3..df3f962ad5b 100644 --- a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml @@ -2,6 +2,8 @@ title: Tap Installer Execution id: 99793437-3e16-439b-be0f-078782cf953d status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2023/12/11 @@ -24,5 +26,5 @@ detection: Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\' condition: selection and not 1 of filter_optional_* falsepositives: - - Legitimate OpenVPN TAP insntallation + - Legitimate OpenVPN TAP installation level: medium diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml index df99d755c94..a7826d46ad0 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -2,6 +2,8 @@ title: Taskmgr as LOCAL_SYSTEM id: 9fff585c-c33e-4a86-b3cd-39312079a65f status: test description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2018/03/18 modified: 2022/05/27 diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index c87d37ee90f..a947261665c 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -1,10 +1,12 @@ -title: Taskmgr as Parent +title: New Process Created Via Taskmgr.EXE id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 status: test -description: Detects the creation of a process from Windows task manager +description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +references: + - https://twitter.com/ReneFreingruber/status/1172244989335810049 author: Florian Roth (Nextron Systems) date: 2018/03/13 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.defense_evasion - attack.t1036 @@ -14,16 +16,12 @@ logsource: detection: selection: ParentImage|endswith: '\taskmgr.exe' - filter: + filter_main_generic: Image|endswith: - - '\resmon.exe' - - '\mmc.exe' - - '\taskmgr.exe' - condition: selection and not filter -fields: - - Image - - CommandLine - - ParentCommandLine + - ':\Windows\System32\mmc.exe' + - ':\Windows\System32\resmon.exe' + - ':\Windows\System32\Taskmgr.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity level: low diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index 369b65dca3f..f0b0f5ce4cb 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -4,7 +4,7 @@ status: test description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 5194cf3f3a6..7934fc77b9d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Elastic (idea) date: 2022/09/13 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml index 9bb200110a8..67f29fe1ee0 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -3,6 +3,8 @@ id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 status: test description: Detects suspicious processes including shells spawnd from WinRM host process author: Andreas Hunkeler (@Karneades), Markus Neis +references: + - Internal Research date: 2021/05/20 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml new file mode 100644 index 00000000000..6a1be6e4f93 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -0,0 +1,44 @@ +title: Potential Dropper Script Execution Via WScript/CScript +id: cea72823-df4d-4567-950c-0b579eaf0846 +related: + - id: 1e33157c-53b1-41ad-bbcc-780b80b58288 + type: similar +status: deprecated +description: Detects wscript/cscript executions of scripts located in user directories +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://redcanary.com/blog/gootloader/ +author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2019/01/16 +modified: 2024/01/18 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 +logsource: + category: process_creation + product: windows +detection: + selection_exec: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + selection_paths: + CommandLine|contains: + - ':\Temp\' + - ':\Tmp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + selection_ext: + CommandLine|contains: + - '.js' + - '.jse' + - '.vba' + - '.vbe' + - '.vbs' + - '.wsf' + condition: all of selection_* +falsepositives: + - Some installers might generate a similar behavior. An initial baseline is required +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 10be020863a..e790dde4544 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -2,6 +2,8 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee status: experimental description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension +references: + - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 modified: 2023/06/19 diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 797e4361a2d..f49f503e833 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -2,6 +2,10 @@ title: WMI Event Subscription id: 0f06a3a5-6a09-413f-8743-e6cf35561297 status: test description: Detects creation of WMI event subscription persistence method +references: + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 modified: 2021/11/27 diff --git a/tests/thor.yml b/tests/thor.yml index 7d2d2831e4c..3665d602d78 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -548,6 +548,11 @@ logsources: service: hyper-v-worker sources: - 'WinEventLog:Microsoft-Windows-Hyper-V-Worker' + windows-kernel-event-tracing: + product: windows + service: kernel-event-tracing + sources: + - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing' apache: category: webserver sources: