From 83266fb09e0e9ad1445c59d9e8797c834889d599 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 9 Nov 2023 14:55:46 +0100 Subject: [PATCH 1/6] fix: fp first batch --- .../win_security_scheduled_task_deletion.yml | 1 + ...file_event_win_scheduled_task_creation.yml | 1 + .../image_load_dll_system_drawing_load.yml | 1 + ...registry_event_scheduled_task_creation.yml | 3 +- .../security/win_security_iso_mount.yml | 13 +-- ...ad_wmi_module_load_by_uncommon_process.yml | 36 ++------ .../proc_access_win_invoke_patchingapi.yml | 85 +++++++++---------- 7 files changed, 60 insertions(+), 80 deletions(-) rename {rules => rules-threat-hunting}/windows/builtin/security/win_security_scheduled_task_deletion.yml (98%) rename {rules => rules-threat-hunting}/windows/file/file_event/file_event_win_scheduled_task_creation.yml (96%) rename {rules => rules-threat-hunting}/windows/image_load/image_load_dll_system_drawing_load.yml (97%) rename {rules => rules-threat-hunting}/windows/registry/registry_event/registry_event_scheduled_task_creation.yml (91%) diff --git a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml similarity index 98% rename from rules/windows/builtin/security/win_security_scheduled_task_deletion.yml rename to rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 4a48af5b0b6..117a4da6568 100644 --- a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -13,6 +13,7 @@ tags: - attack.privilege_escalation - car.2013-08-001 - attack.t1053.005 + - detection.threat_hunting logsource: product: windows service: security diff --git a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml similarity index 96% rename from rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml rename to rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index dbcd9f762fe..5b6c2358a20 100644 --- a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -14,6 +14,7 @@ tags: - attack.t1053.005 - attack.s0111 - car.2013-08-001 + - detection.threat_hunting logsource: product: windows category: file_event diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml similarity index 97% rename from rules/windows/image_load/image_load_dll_system_drawing_load.yml rename to rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml index 51324c3207b..6aa25115889 100644 --- a/rules/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml @@ -11,6 +11,7 @@ modified: 2023/02/22 tags: - attack.collection - attack.t1113 + - detection.threat_hunting logsource: product: windows category: image_load diff --git a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml similarity index 91% rename from rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml rename to rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index f8a92e67956..116f3ab882f 100644 --- a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -14,6 +14,7 @@ tags: - attack.s0111 - attack.t1053.005 - car.2013-08-001 + - detection.threat_hunting logsource: product: windows category: registry_event @@ -24,5 +25,5 @@ detection: - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' condition: selection falsepositives: - - Normal behaviour on Windows + - Likely as this is a normal behaviour on Windows level: low diff --git a/rules/windows/builtin/security/win_security_iso_mount.yml b/rules/windows/builtin/security/win_security_iso_mount.yml index 7ee0b2dacc3..1d18f72da16 100644 --- a/rules/windows/builtin/security/win_security_iso_mount.yml +++ b/rules/windows/builtin/security/win_security_iso_mount.yml @@ -1,7 +1,7 @@ -title: ISO Image Mount +title: ISO Image Mounted id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 status: test -description: Detects the mount of ISO images on an endpoint +description: Detects the mount of an ISO image on an endpoint references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: Syed Hasan (@syedhasan009) date: 2021/05/29 -modified: 2022/10/05 +modified: 2023/11/09 tags: - attack.initial_access - attack.t1566.001 @@ -23,8 +23,11 @@ detection: ObjectServer: 'Security' ObjectType: 'File' ObjectName|startswith: '\Device\CdRom' - filter: - ObjectName: '\Device\CdRom0\setup.exe' + filter_main_generic: + ObjectName: + - '\Device\CdRom0\autorun.ico' + - '\Device\CdRom0\setup.exe' + - '\Device\CdRom0\setup64.exe' condition: selection and not filter falsepositives: - Software installation ISO files diff --git a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml index a1a6777d29b..b46db700f3c 100644 --- a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml +++ b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/10 -modified: 2023/08/08 +modified: 2023/11/07 tags: - attack.execution - attack.t1047 @@ -25,41 +25,15 @@ detection: - '\WMINet_Utils.dll' - '\wmiprov.dll' - '\wmiutils.dll' - filter_optional_generic: + filter_main_generic: Image|contains: - ':\Microsoft\Teams\current\Teams.exe' - ':\Microsoft\Teams\Update.exe' - ':\Windows\\explorer.exe' - ':\Windows\Sysmon.exe' - ':\Windows\Sysmon64.exe' - - ':\Windows\System32\CompatTelRunner.exe' - - ':\Windows\System32\DeviceCensus.exe' - - ':\Windows\System32\dfsrs.exe' - - ':\Windows\System32\dispdiag.exe' - - ':\Windows\System32\dxdiag.exe' - - ':\Windows\System32\gpresult.exe' - - ':\Windows\System32\logman.exe' - - ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - - ':\Windows\System32\sdiagnhost.exe' - - ':\Windows\System32\SecurityHealthService.exe' - - ':\Windows\System32\ServerManager.exe' - - ':\Windows\System32\SIHClient.exe' - - ':\Windows\System32\svchost.exe' - - ':\Windows\System32\systeminfo.exe' - - ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - - ':\Windows\System32\tasklist.exe' - - ':\Windows\System32\vds.exe' - - ':\Windows\System32\wbem\unsecapp.exe' - - ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 - - ':\Windows\System32\wbem\WmiApSrv.exe' - - ':\Windows\System32\wbem\WMIC.exe' - - ':\Windows\System32\wbem\WmiPrvSE.exe' - - ':\Windows\SysWOW64\explorer.exe' - - ':\Windows\SysWOW64\logman.exe' - - ':\Windows\SysWOW64\sdiagnhost.exe' - - ':\Windows\SysWOW64\svchost.exe' - - ':\Windows\SysWOW64\systeminfo.exe' - - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_optional_other: Image|endswith: - '\WindowsAzureGuestAgent.exe' @@ -79,7 +53,7 @@ detection: Image|contains: - ':\Program Files\' - ':\Program Files (x86)\' - condition: selection and not 1 of filter_optional_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: low diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 4f6fa422e58..b853faf8e5b 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/01/25 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1562.002 @@ -20,59 +20,58 @@ detection: CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' - filter_generic: + filter_main_generic: # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights - - SourceImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - TargetImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - filter_thor: - SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: '\thor64.exe' - filter_githubdesktop: - SourceImage|startswith: 'C:\Users\' - SourceImage|contains: '\AppData\Local\GitHubDesktop\app-' + - SourceImage|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + - TargetImage|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + filter_optional_thor: + SourceImage|endswith: + - '\thor.exe' + - '\thor64.exe' + filter_optional_githubdesktop: + SourceImage|contains|all: + - ':\Users\' + - '\AppData\Local\GitHubDesktop\app-' SourceImage|endswith: - '\GitHubDesktop.exe' - '\resources\app\git\usr\bin\sh.exe' - TargetImage|startswith: 'C:\Users\' - TargetImage|contains: '\AppData\Local\GitHubDesktop\app-' - filter_dotnet: - SourceImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' + TargetImage|contains|all: + - ':\Users\' + - '\AppData\Local\GitHubDesktop\app-' + filter_main_dotnet: + SourceImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' SourceImage|endswith: '\NGenTask.exe' - TargetImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' - filter_taskhost: - SourceImage: - - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Windows\system32\taskhost.exe' - TargetImage|startswith: - - 'C:\Windows\Microsoft.NET\Framework\v' - - 'C:\Windows\Microsoft.NET\Framework64\v' + TargetImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' + filter_main_taskhost: + SourceImage|contains: + - ':\WINDOWS\system32\taskhostw.exe' + - ':\Windows\system32\taskhost.exe' + TargetImage|contains: + - ':\Windows\Microsoft.NET\Framework\v' + - ':\Windows\Microsoft.NET\Framework64\v' TargetImage|endswith: '\NGenTask.exe' - filter_teams_to_update: - SourceImage|startswith: 'C:\Users\' + filter_optional_teams_to_update: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' - TargetImage|startswith: 'C:\Users\' TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' - filter_teams_update_regsvr32: - SourceImage|startswith: 'C:\Users\' + filter_optional_teams_update_regsvr32: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' - TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe' - filter_teams_update_to_teams: - SourceImage|startswith: 'C:\Users\' + TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe' + filter_optional_teams_update_to_teams: SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium From 44854c3dd2eb4b878aae5dd8fb22e8442e6d0e49 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 14:53:52 +0100 Subject: [PATCH 2/6] feat: more updates --- .../create_remote_thread_win_powershell_generic.yml | 5 +++-- .../builtin/security/win_security_iso_mount.yml | 2 +- ...te_remote_thread_win_powershell_susp_targets.yml | 13 ++++++++----- 3 files changed, 12 insertions(+), 8 deletions(-) rename {rules => rules-threat-hunting}/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml (85%) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml similarity index 85% rename from rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml rename to rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml index 5842c2f075d..fcf85a765e5 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -9,10 +9,11 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community date: 2020/10/06 -modified: 2023/03/28 +modified: 2023/11/10 tags: - attack.execution - attack.t1059.001 + - detection.threat_hunting logsource: product: windows category: create_remote_thread @@ -22,7 +23,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' filter_main_compattelrunner: - SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + SourceParentImag|endswith: ':\Windows\System32\CompatTelRunner.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_iso_mount.yml b/rules/windows/builtin/security/win_security_iso_mount.yml index 1d18f72da16..488a5ebcf6d 100644 --- a/rules/windows/builtin/security/win_security_iso_mount.yml +++ b/rules/windows/builtin/security/win_security_iso_mount.yml @@ -28,7 +28,7 @@ detection: - '\Device\CdRom0\autorun.ico' - '\Device\CdRom0\setup.exe' - '\Device\CdRom0\setup64.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Software installation ISO files level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 0bf11257941..011535aa405 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -1,15 +1,15 @@ -title: Remote Thread Creation Via PowerShell In Rundll32 +title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar status: experimental -description: Detects the creation of a remote thread from a Powershell process in a rundll32 process +description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) date: 2018/06/25 -modified: 2023/03/28 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.execution @@ -23,8 +23,11 @@ detection: SourceImage|endswith: - '\powershell.exe' - '\pwsh.exe' - TargetImage|endswith: '\rundll32.exe' + TargetImage|endswith: + # Note: Please add additonal potential interesting targets to increase coverage + - '\rundll32.exe' + - '\regsvr32.exe' condition: selection falsepositives: - Unknown -level: high +level: medium From 581e3247e00bbaec253e7c841cf41723b377df6a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:52:04 +0100 Subject: [PATCH 3/6] fix: more fp fixing --- .../proc_creation_win_malware_notpetya.yml | 9 +++---- ...e_remote_thread_win_powershell_generic.yml | 2 +- .../file_event_win_creation_system_file.yml | 5 ++-- ...reation_win_gpg4win_portable_execution.yml | 6 +++-- ...n_susp_bad_opsec_sacrificial_processes.yml | 25 ++++++++----------- ...tion_win_wmiprvse_susp_child_processes.yml | 11 +++++--- 6 files changed, 29 insertions(+), 29 deletions(-) diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index 6a6b45099a5..f4596170e37 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -20,11 +20,11 @@ logsource: category: process_creation product: windows detection: - selection_pattern: + selection_specific_pattern: CommandLine|contains: - 'wevtutil cl Application & fsutil usn deletejournal /D C:' - 'dllhost.dat %WINDIR%\ransoms' - selection_rundll32_dash1: + selection_rundll32: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' @@ -32,10 +32,7 @@ detection: - '.zip.dll",#1' selection_perfc_keyword: - '\perfc.dat' - condition: 1 of selection* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_* falsepositives: - Unknown level: critical diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml index fcf85a765e5..e147ca2d5ad 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -23,7 +23,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' filter_main_compattelrunner: - SourceParentImag|endswith: ':\Windows\System32\CompatTelRunner.exe' + SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 302977a20c4..983af1f6173 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 -modified: 2023/10/18 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1036.005 @@ -123,7 +123,8 @@ detection: TargetFilename|endswith: '\SecurityHealthSystray.exe' Image|endswith: '\SecurityHealthSetup.exe' filter_main_wuaucltcore: - Image|endswith: ':\Windows\uus\AMD64\wuaucltcore.exe' + Image|contains: ':\Windows\uus\' + Image|endswith: '\wuaucltcore.exe' TargetFilename|contains: ':\$WinREAgent\' condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 71541371864..1dbc87389db 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/08/06 +modified: 2023/11/10 tags: - attack.impact - attack.t1486 @@ -23,8 +24,9 @@ detection: - Description: 'GnuPG’s OpenPGP tool' filter_main_legit_location: Image|contains: - - ':\Program Files (x86)\GnuPG\bin\' - ':\Program Files (x86)\GNU\GnuPG\bin\' + - ':\Program Files (x86)\GnuPG VS-Desktop\' + - ':\Program Files (x86)\GnuPG\bin\' - ':\Program Files (x86)\Gpg4win\bin\' condition: selection and not 1 of filter_main_* -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 70dff26fadf..5130e4700d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/01/25 +modified: 2023/11/10 tags: - attack.defense_evasion - attack.t1218.011 @@ -26,30 +26,27 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_werfault: Image|endswith: '\WerFault.exe' CommandLine|endswith: 'WerFault.exe' - selection2: + selection_rundll32: Image|endswith: '\rundll32.exe' CommandLine|endswith: 'rundll32.exe' - selection3: + selection_regsvcs: Image|endswith: '\regsvcs.exe' CommandLine|endswith: 'regsvcs.exe' - selection4: + selection_regasm: Image|endswith: '\regasm.exe' CommandLine|endswith: 'regasm.exe' - selection5: + selection_regsvr32: Image|endswith: '\regsvr32.exe' CommandLine|endswith: 'regsvr32.exe' - filter_edge_update: - ParentImage|startswith: 'C:\Users\' - ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{' + filter_main_edge_update: + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' ParentImage|endswith: '\setup.exe' - ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\' - condition: 1 of selection* and not 1 of filter* -fields: - - ParentImage - - ParentCommandLine + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index f4f43b1742f..d65e301e7bd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -16,7 +16,7 @@ references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) date: 2021/08/23 -modified: 2023/03/23 +modified: 2023/11/10 tags: - attack.execution - attack.defense_evasion @@ -51,11 +51,14 @@ detection: - 'regsvr32' - 'rundll32' - 'wscript' - filter_werfault: + filter_main_werfault: Image|endswith: '\WerFault.exe' - filter_wmiprvse: + filter_main_wmiprvse: Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself - condition: selection_parent and 1 of selection_children_* and not 1 of filter_* + filter_main_msiexec: + Image|endswith: '\msiexec.exe' + CommandLine|contains: '/i ' + condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_* falsepositives: - Unknown level: high From 8cc032f15a3d5988a2bf1ff30d5157e7eca9334b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:54:46 +0100 Subject: [PATCH 4/6] Update proc_creation_win_whoami_susp_flags.yml --- .../process_creation/proc_creation_win_whoami_susp_flags.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index d6b55155caa..985ff070aa0 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -8,6 +8,7 @@ references: - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/02/28 +modified: 2023/11/10 tags: - attack.discovery - attack.t1033 @@ -29,7 +30,9 @@ detection: CommandLine|contains|all: - 'whoami' - '>' - condition: all of selection_main_* or selection_special + filter_main_generic_error_redirect: + CommandLine|contains: '2>&1' + condition: (all of selection_main_* or selection_special) and not 1 of filter_main_* falsepositives: - Unknown level: high From 7a8ba9834baf02ac6e9edcd566062894caa89085 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 17:15:43 +0100 Subject: [PATCH 5/6] Update proc_creation_win_whoami_susp_flags.yml --- .../proc_creation_win_whoami_susp_flags.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index 985ff070aa0..a5c356d69be 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -27,12 +27,8 @@ detection: - ' /FO CSV' - ' -FO CSV' selection_special: - CommandLine|contains|all: - - 'whoami' - - '>' - filter_main_generic_error_redirect: - CommandLine|contains: '2>&1' - condition: (all of selection_main_* or selection_special) and not 1 of filter_main_* + CommandLine: '*whoami*>' + condition: all of selection_main_* or selection_special falsepositives: - Unknown level: high From 19479b028801277cbd0172344606b4507623cb14 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 10 Nov 2023 17:19:23 +0100 Subject: [PATCH 6/6] Update rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../process_creation/proc_creation_win_whoami_susp_flags.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index a5c356d69be..7161f207d57 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -27,7 +27,7 @@ detection: - ' /FO CSV' - ' -FO CSV' selection_special: - CommandLine: '*whoami*>' + CommandLine|contains: 'whoami*>' condition: all of selection_main_* or selection_special falsepositives: - Unknown