From 3d6ec1b18720ac23600ffae1e23ef110d015760c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Feb 2023 11:25:19 +0100 Subject: [PATCH] chg: [sigma] updated to the latest version --- clusters/sigma-rules.json | 11790 ++++++++++++++++++++---------------- 1 file changed, 6436 insertions(+), 5354 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index e33434b..35c5423 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -187,7 +187,7 @@ { "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/04/15", "falsepositive": [ "Unknown" @@ -222,7 +222,7 @@ { "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/05", "falsepositive": [ "Legitimate use of Telegram bots in the company" @@ -232,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://core.telegram.org/bots/faq", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://core.telegram.org/bots/faq", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -258,7 +258,7 @@ { "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", "meta": { - "author": "Florian Roth, Matt Kelly (list of domains)", + "author": "Florian Roth (Nextron Systems), Matt Kelly (list of domains)", "creation_date": "2022/06/07", "falsepositive": [ "Unknown" @@ -300,7 +300,7 @@ { "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/05/10", "falsepositive": [ "Unknown" @@ -310,8 +310,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -417,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://zeltser.com/c2-dns-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -525,7 +525,7 @@ { "description": "Detects suspicious DNS queries using base64 encoding", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/05/10", "falsepositive": [ "Unknown" @@ -641,7 +641,7 @@ { "description": "Detects suspicious DNS queries to Monero mining pools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/24", "falsepositive": [ "Legitimate crypto coin mining" @@ -1330,10 +1330,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1703,8 +1703,8 @@ "logsource.product": "zeek", "refs": [ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", + "https://github.com/Maka8ka/NGLite", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1752,8 +1752,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], @@ -1848,11 +1848,11 @@ "logsource.product": "zeek", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/corelight/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://github.com/corelight/CVE-2021-1675", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1975,8 +1975,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" @@ -2019,8 +2019,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2188,10 +2188,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2215,10 +2215,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2241,10 +2241,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2267,10 +2267,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2303,10 +2303,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2340,10 +2340,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2367,8 +2367,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -2391,10 +2391,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2428,9 +2428,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -2471,10 +2471,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2508,12 +2508,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2536,9 +2536,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -2562,10 +2562,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2588,10 +2588,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2614,10 +2614,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2641,10 +2641,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2667,10 +2667,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2716,7 +2716,7 @@ { "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/27", "falsepositive": [ "Legitimate software accessing LSASS process for legitimate reason" @@ -2726,11 +2726,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2843,8 +2843,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" ], "tags": [ @@ -2899,7 +2899,7 @@ "value": "Credential Dumping by Pypykatz" }, { - "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", "meta": { "author": "Tim Burrell", "creation_date": "2020/01/02", @@ -2911,8 +2911,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2930,12 +2930,12 @@ } ], "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "value": "Suspect Svchost Memory Asccess" + "value": "Potential Svchost Memory Access" }, { "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/10", "falsepositive": [ "Unlikely, since these tools shouldn't access lsass.exe at all" @@ -3023,7 +3023,7 @@ { "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2012/06/27", "falsepositive": [ "Actual failures in lsass.exe that trigger a crash dump (unlikely)", @@ -3058,7 +3058,7 @@ { "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", "meta": { - "author": "John Lambert (tech), Florian Roth (rule)", + "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "creation_date": "2017/03/04", "falsepositive": [ "Unknown" @@ -3148,7 +3148,7 @@ { "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -3192,10 +3192,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3219,7 +3219,7 @@ { "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", "meta": { - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "creation_date": "2017/02/16", "falsepositive": [ "Legitimate software accessing LSASS process for legitimate reason; please add more filters" @@ -3229,8 +3229,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" @@ -3257,7 +3257,7 @@ { "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/13", "falsepositive": [ "Legitimate software accessing LSASS process for legitimate reason" @@ -3267,11 +3267,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3295,7 +3295,7 @@ { "description": "Detects process access to LSASS memory with suspicious access flags", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/22", "falsepositive": [ "Legitimate software accessing LSASS process for legitimate reason" @@ -3305,11 +3305,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3333,7 +3333,7 @@ { "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", "meta": { - "author": "Christian Burkard, Tim Shelton", + "author": "Christian Burkard (Nextron Systems), Tim Shelton", "creation_date": "2021/07/28", "falsepositive": [ "Unknown" @@ -3424,7 +3424,7 @@ { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unknown" @@ -3507,7 +3507,7 @@ { "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/10", "falsepositive": [ "Rare programs that contain the word dump in their name and access lsass" @@ -3542,7 +3542,7 @@ { "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/07", "falsepositive": [ "Unknown" @@ -3577,7 +3577,7 @@ { "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/04", "falsepositive": [ "Unknown" @@ -3587,8 +3587,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3623,9 +3623,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3648,7 +3648,7 @@ { "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/16", "falsepositive": [ "Unlikely" @@ -3739,8 +3739,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -3773,8 +3773,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -3797,7 +3797,7 @@ { "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", "meta": { - "author": "Florian Roth, Christian Burkard", + "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "creation_date": "2021/07/30", "falsepositive": [ "Chrome instances using the exact same pipe name \"mojo.something\"" @@ -3823,7 +3823,7 @@ { "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/30", "falsepositive": [ "Unknown" @@ -3906,7 +3906,7 @@ { "description": "Detects the creation of a named pipe as used by CobaltStrike", "meta": { - "author": "Florian Roth, Wojciech Lesicki", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021/05/25", "falsepositive": [ "Unknown" @@ -3916,11 +3916,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/issues/253", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3945,8 +3945,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/groups/G0010/", "Internal Research", + "https://attack.mitre.org/groups/G0010/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4003,7 +4003,7 @@ { "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unlikely" @@ -4026,7 +4026,7 @@ { "description": "Detects PAExec default named pipe", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/26", "falsepositive": [ "Unknown" @@ -4059,7 +4059,7 @@ { "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/09/01", "falsepositive": [ "Unknown" @@ -4125,7 +4125,7 @@ { "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/04", "falsepositive": [ "Rare legitimate use of psexec from the locations mentioned above" @@ -4135,8 +4135,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4160,7 +4160,7 @@ { "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -4221,7 +4221,7 @@ { "description": "Detects the creation of a named pipe used by known APT malware", "meta": { - "author": "Florian Roth, blueteam0ps, elhoim", + "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "creation_date": "2017/11/06", "falsepositive": [ "Unknown" @@ -4232,17 +4232,17 @@ "logsource.product": "windows", "refs": [ "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4267,8 +4267,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4302,9 +4302,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/SimuLand", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://github.com/Azure/SimuLand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4327,7 +4327,7 @@ { "description": "Detects creation of default named pipes used by the Koh tool", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/08", "falsepositive": [ "Unlikely" @@ -4369,7 +4369,7 @@ { "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", "meta": { - "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "creation_date": "2017/01/10", "falsepositive": [ "Naughty administrators", @@ -4722,7 +4722,7 @@ { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/01/10", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", @@ -4768,8 +4768,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], @@ -4898,8 +4898,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -4944,9 +4944,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5047,7 +5047,7 @@ { "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "meta": { - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "creation_date": "2017/08/22", "falsepositive": [ "Unknown (data set is too small; further testing needed)" @@ -5082,7 +5082,7 @@ { "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/09", "falsepositive": [ "Legitimate used of encrypted ZIP files" @@ -5138,7 +5138,7 @@ { "description": "Detects suspicious failed logins with different user accounts from a single source system", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/01/10", "falsepositive": [ "Terminal servers", @@ -5218,7 +5218,7 @@ { "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unlikely" @@ -5241,7 +5241,7 @@ { "description": "This events that are generated when using the hacktool Ruler by Sensepost", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/31", "falsepositive": [ "Go utilities that use staaldraad awesome NTLM library" @@ -5251,10 +5251,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler/issues/47", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5321,7 +5321,7 @@ { "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", "meta": { - "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", + "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "creation_date": "2017/03/27", "falsepositive": [ "Unknown" @@ -5331,9 +5331,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5391,7 +5391,7 @@ { "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", "meta": { - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "creation_date": "2019/03/04", "falsepositive": [ "Unknown" @@ -5486,9 +5486,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5499,7 +5499,7 @@ { "description": "Detects access to $ADMIN share", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/04", "falsepositive": [ "Legitimate administrative activity" @@ -5556,8 +5556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], @@ -5633,7 +5633,7 @@ { "description": "Detects logon events that specify new credentials", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/04/06", "falsepositive": [ "Legitimate remote administration activity" @@ -5705,7 +5705,7 @@ { "description": "Detects activity mentioned in Operation Wocao report", "meta": { - "author": "Florian Roth, frack113", + "author": "Florian Roth (Nextron Systems), frack113", "creation_date": "2019/12/20", "falsepositive": [ "Administrators that use checkadmin.exe tool to enumerate local administrators" @@ -5769,8 +5769,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], @@ -5896,7 +5896,7 @@ { "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/10", "falsepositive": [ "Faulty legacy applications" @@ -5986,15 +5986,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6064,8 +6064,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6122,8 +6122,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], @@ -6145,9 +6145,9 @@ "value": "Suspicious LDAP-Attributes Used" }, { - "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", + "description": "Detects a single user failing to authenticate to multiple users using explicit credentials.", "meta": { - "author": "Mauricio Velazco", + "author": "Mauricio Velazco, Zach Mathis", "creation_date": "2021/06/01", "falsepositive": [ "Terminal servers", @@ -6170,7 +6170,7 @@ ] }, "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", - "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials" + "value": "Password Spraying via Explicit Credentials" }, { "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", @@ -6293,9 +6293,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6348,6 +6348,34 @@ "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, + { + "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate or intentional inbound connections from public IP addresses on the SMB port." + ], + "filename": "win_security_successful_external_remote_smb_login.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml" + ], + "tags": [ + "attack.initial_access", + "attack.credential_access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ] + }, + "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", + "value": "External Remote SMB Logon from Public IP" + }, { "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", "meta": { @@ -6433,8 +6461,8 @@ "logsource.product": "windows", "refs": [ "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "Live environment caused by malware", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6457,7 +6485,7 @@ { "description": "Detects NetNTLM downgrade attack", "meta": { - "author": "Florian Roth, wagga", + "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2018/03/20", "falsepositive": [ "Unknown" @@ -6672,7 +6700,7 @@ { "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2018/03/23", "falsepositive": [ "Unknown" @@ -6991,7 +7019,7 @@ { "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "meta": { - "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "creation_date": "2017/03/07", "falsepositive": [ "Administrator activity" @@ -7107,8 +7135,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": "No established tags" @@ -7129,10 +7157,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://twitter.com/Flangvik/status/1283054508084473861", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7146,7 +7174,7 @@ { "description": "Detects well-known credential dumping tools execution via service execution events", "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2017/03/05", "falsepositive": [ "Legitimate Administrator using credential dumping tool for password recovery" @@ -7411,9 +7439,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7446,8 +7474,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7506,8 +7534,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7572,7 +7600,7 @@ { "description": "Detects service ticket requests using RC4 encryption type", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/06", "falsepositive": [ "Service accounts used on legacy systems (e.g. NetApp)", @@ -7725,9 +7753,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": "No established tags" @@ -7812,7 +7840,7 @@ { "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/05", "falsepositive": [ "Unknown" @@ -7848,7 +7876,7 @@ { "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/23", "falsepositive": [ "Software installation", @@ -7941,7 +7969,7 @@ { "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", "meta": { - "author": "Florian Roth (rule), Adam Bradbury (idea)", + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "creation_date": "2019/06/02", "falsepositive": [ "Unlikely" @@ -8033,7 +8061,7 @@ { "description": "Detects suspicious failed logins with different user accounts from a single source system", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/01/10", "falsepositive": [ "Terminal servers", @@ -8152,7 +8180,7 @@ { "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/09", "falsepositive": [ "Legitimate used of encrypted ZIP files" @@ -8183,10 +8211,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8236,16 +8264,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8328,7 +8356,7 @@ { "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/05", "falsepositive": [ "Unknown" @@ -8373,8 +8401,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8431,6 +8459,34 @@ "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "value": "Azure AD Health Service Agents Registry Keys Access" }, + { + "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate or intentional inbound connections from public IP addresses on the RDP port." + ], + "filename": "win_security_successful_external_remote_rdp_login.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml" + ], + "tags": [ + "attack.initial_access", + "attack.credential_access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ] + }, + "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", + "value": "External Remote RDP Logon from Public IP" + }, { "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "meta": { @@ -8477,8 +8533,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8526,7 +8582,7 @@ { "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/14", "falsepositive": [ "Legitimate administrative activity" @@ -8560,7 +8616,7 @@ { "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/05/03", "falsepositive": [ "Unknown" @@ -8593,7 +8649,7 @@ { "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/09", "falsepositive": [ "Legitimate used of encrypted ZIP files" @@ -8624,8 +8680,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8649,8 +8705,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -8674,8 +8730,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -8741,9 +8797,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8767,9 +8823,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=3466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8817,7 +8873,7 @@ { "description": "Detects possible addition of shadow credentials to an active directory object.", "meta": { - "author": "Nasreddine Bencherchali (rule), Elastic (idea)", + "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "creation_date": "2022/10/17", "falsepositive": [ "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" @@ -8828,8 +8884,8 @@ "logsource.product": "windows", "refs": [ "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8862,8 +8918,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -8887,7 +8943,7 @@ { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "meta": { - "author": "Florian Roth, Wojciech Lesicki", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021/05/26", "falsepositive": [ "Unknown" @@ -8926,7 +8982,7 @@ { "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/22", "falsepositive": [ "Unknown" @@ -8979,7 +9035,7 @@ { "description": "Detects Mimikatz DC sync security events", "meta": { - "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", + "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "creation_date": "2018/06/03", "falsepositive": [ "Valid DC Sync that is not covered by the filters; please report", @@ -8990,10 +9046,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9074,7 +9130,7 @@ { "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/19", "falsepositive": [ "User using a disabled account" @@ -9112,8 +9168,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9179,9 +9235,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9198,7 +9254,7 @@ { "description": "Detects update to a scheduled task event that contain suspicious keywords.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/05", "falsepositive": [ "Unknown" @@ -9362,7 +9418,7 @@ { "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/08", "falsepositive": [ "Legacy hosts" @@ -9372,8 +9428,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9422,7 +9478,7 @@ { "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", "meta": { - "author": "Florian Roth, wagga", + "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2020/02/29", "falsepositive": [ "Unknown" @@ -9488,7 +9544,7 @@ { "description": "Detects backup catalog deletions", "meta": { - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "creation_date": "2017/05/12", "falsepositive": [ "Unknown" @@ -9522,7 +9578,7 @@ { "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/22", "falsepositive": [ "Other MSI packages for which your admins have used that name" @@ -9580,7 +9636,7 @@ { "description": "Detects MSI package installation from suspicious locations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/31", "falsepositive": [ "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" @@ -9644,7 +9700,7 @@ { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Legitimate backup operation/creating shadow copies" @@ -9654,8 +9710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -9668,7 +9724,7 @@ { "description": "This detection method points out highly relevant Antivirus events", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2017/02/19", "falsepositive": [ "Some software piracy tools (key generators, cracks) are classified as hack tools" @@ -9678,9 +9734,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], "tags": [ @@ -9703,7 +9759,7 @@ { "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/13", "falsepositive": [ "Legitimate use of the feature by administrators (rare)" @@ -9727,7 +9783,7 @@ { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Legitimate backup operation/creating shadow copies" @@ -9737,8 +9793,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -9783,7 +9839,7 @@ { "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/09", "falsepositive": [ "MsMpEng.exe can crash when C:\\ is full" @@ -9818,7 +9874,7 @@ { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Legitimate enable/disable of the setting", @@ -9843,7 +9899,7 @@ { "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/07", "falsepositive": [ "Rare legitimate crashing of the lsass process" @@ -9853,8 +9909,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], @@ -9878,7 +9934,7 @@ { "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", "meta": { - "author": "Florian Roth, Zach Mathis", + "author": "Florian Roth (Nextron Systems), Zach Mathis", "creation_date": "2020/01/15", "falsepositive": [ "Unknown" @@ -9889,10 +9945,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -9993,7 +10049,7 @@ { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Unknown" @@ -10017,7 +10073,7 @@ { "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/13", "falsepositive": [ "Rare legitimate administrative activity" @@ -10040,7 +10096,7 @@ { "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/13", "falsepositive": [ "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" @@ -10051,8 +10107,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10065,7 +10121,7 @@ { "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/17", "falsepositive": [ "Software installation" @@ -10130,7 +10186,7 @@ { "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/05", "falsepositive": [ "Unknown" @@ -10162,7 +10218,7 @@ { "description": "Detects plugged/unplugged USB devices", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/11/09", "falsepositive": [ "Legitimate administrative activity" @@ -10187,7 +10243,7 @@ { "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Legitimate package hosted on a known and authorized remote location" @@ -10197,8 +10253,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", "https://twitter.com/j00sean/status/1537750439701225472", + "https://twitter.com/nas_bench/status/1539679555908141061", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -10211,7 +10267,7 @@ { "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/01/20", "falsepositive": [ "Antivirus products" @@ -10221,8 +10277,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10235,7 +10291,7 @@ { "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/10", "falsepositive": [ "Unknown" @@ -10269,7 +10325,7 @@ { "description": "Detects blocked load attempts of revoked drivers", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/10", "falsepositive": [ "Unknown" @@ -10328,7 +10384,7 @@ { "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "meta": { - "author": "Florian Roth, KevTheHermit, fuzzyf10w", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "creation_date": "2021/06/30", "falsepositive": [ "Account fallback reasons (after failed login with specific account)" @@ -10338,8 +10394,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], @@ -10354,7 +10410,7 @@ { "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Packages or applications being legitimately used by users or administrators" @@ -10387,11 +10443,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://winaero.com/enable-openssh-server-windows-10/", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://winaero.com/enable-openssh-server-windows-10/", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -10405,7 +10461,7 @@ { "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", "meta": { - "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", + "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton", "creation_date": "2021/06/30", "falsepositive": [ "Problems with printer drivers" @@ -10415,9 +10471,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10441,7 +10497,7 @@ { "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/01", "falsepositive": [ "Unknown" @@ -10485,8 +10541,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], @@ -10501,7 +10557,7 @@ { "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Legitimate usage of the applications from the Windows Store" @@ -10560,8 +10616,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -10652,7 +10708,7 @@ { "description": "Detects the Setting of Windows Defender Exclusions", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/07/06", "falsepositive": [ "Administrator actions" @@ -10700,7 +10756,7 @@ { "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Unlikely" @@ -10790,7 +10846,7 @@ { "description": "Detects suspicious changes to the windows defender configuration", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/06", "falsepositive": [ "Administrator activity (must be investigated)" @@ -10800,8 +10856,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -10815,7 +10871,7 @@ { "description": "Detects the restoration of files from the defender quarantine", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/06", "falsepositive": [ "Legitimate administrator activity restoring a file" @@ -10839,7 +10895,7 @@ { "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -10849,9 +10905,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], @@ -10978,7 +11034,7 @@ { "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Administrator PowerShell scripts" @@ -11012,7 +11068,7 @@ { "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -11022,9 +11078,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -11048,7 +11104,7 @@ { "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/10", "falsepositive": [ "Other legitimate domains used by software updaters" @@ -11058,8 +11114,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -11083,7 +11139,7 @@ { "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/29", "falsepositive": [ "Unknown" @@ -11117,7 +11173,7 @@ { "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/08", "falsepositive": [ "Unknown" @@ -11128,8 +11184,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11223,8 +11279,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -11255,7 +11311,7 @@ { "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Unknown" @@ -11338,7 +11394,7 @@ { "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/09", "falsepositive": [ "Unknown" @@ -11361,7 +11417,7 @@ { "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/11", "falsepositive": [ "Legitimate usage of the anydesk tool" @@ -11384,7 +11440,7 @@ { "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/22", "falsepositive": [ "Legitimate use of the tool" @@ -11441,7 +11497,7 @@ { "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/08", "falsepositive": [ "Software installation", @@ -11467,7 +11523,7 @@ { "description": "Detects PAExec service installation", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/26", "falsepositive": [ "Unknown" @@ -11636,7 +11692,7 @@ { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "meta": { - "author": "Florian Roth, Wojciech Lesicki", + "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021/05/26", "falsepositive": [ "Unknown" @@ -11675,7 +11731,7 @@ { "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/01/27", "falsepositive": [ "Unknown" @@ -11717,9 +11773,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11768,7 +11824,7 @@ { "description": "Detects PsExec service installation and execution events (service and Sysmon)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/21", "falsepositive": [ "Unknown" @@ -11929,7 +11985,7 @@ { "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/28", "falsepositive": [ "Legitimate use of the tool" @@ -11962,7 +12018,7 @@ { "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/08/25", "falsepositive": [ "Unknown" @@ -11972,8 +12028,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" ], "tags": [ @@ -12057,7 +12113,7 @@ { "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/22", "falsepositive": [ "Legitimate use of the tool" @@ -12106,7 +12162,7 @@ { "description": "Detects service installation in suspicious folder appdata", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/03/18", "falsepositive": [ "Unknown" @@ -12198,7 +12254,7 @@ { "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/30", "falsepositive": [ "Unknown" @@ -12221,7 +12277,7 @@ { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/01/10", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", @@ -12257,7 +12313,7 @@ { "description": "Detects NetSupport Manager service installation on the target system.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/31", "falsepositive": [ "Legitimate use of the tool" @@ -12291,8 +12347,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" ], "tags": [ @@ -12306,7 +12362,7 @@ { "description": "Detects QuarksPwDump clearing access history in hive", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/15", "falsepositive": [ "Unknown" @@ -12338,7 +12394,7 @@ { "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/27", "falsepositive": [ "Unlikely" @@ -12373,7 +12429,7 @@ { "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/11/23", "falsepositive": [ "Unlikely" @@ -12398,7 +12454,7 @@ { "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/11", "falsepositive": [ "Unlikely" @@ -12408,9 +12464,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12424,7 +12480,7 @@ { "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/31", "falsepositive": [ "Unknown" @@ -12449,7 +12505,7 @@ { "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2022/05/17", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", @@ -12495,9 +12551,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -12534,7 +12590,7 @@ { "description": "Detects suspicious service installation scripts", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/03/18", "falsepositive": [ "Unknown" @@ -12592,7 +12648,7 @@ { "description": "Detects suspicious service installation commands", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/03/18", "falsepositive": [ "Unknown" @@ -12617,7 +12673,7 @@ { "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/28", "falsepositive": [ "Legitimate use of the tool" @@ -12650,7 +12706,7 @@ { "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/07", "falsepositive": [ "Unlikely" @@ -12675,7 +12731,7 @@ { "description": "Detects well-known credential dumping tools execution via service execution events", "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2017/03/05", "falsepositive": [ "Legitimate Administrator using credential dumping tool for password recovery" @@ -12782,7 +12838,7 @@ { "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2018/03/23", "falsepositive": [ "Unknown" @@ -12967,7 +13023,7 @@ { "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/07", "falsepositive": [ "Unknown" @@ -13043,8 +13099,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" ], "tags": [ @@ -13068,7 +13124,7 @@ { "description": "Detects service installation with suspicious folder patterns", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/03/18", "falsepositive": [ "Unknown" @@ -13093,7 +13149,7 @@ { "description": "Detects Remote Utilities Host service installation on the target system.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/31", "falsepositive": [ "Legitimate use of the tool" @@ -13140,7 +13196,7 @@ { "description": "Detects execution of AppX packages with known suspicious or malicious signature", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Unknown" @@ -13198,7 +13254,7 @@ { "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unknown" @@ -13256,8 +13312,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13281,7 +13337,7 @@ { "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "meta": { - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "creation_date": "2017/08/22", "falsepositive": [ "Unknown (data set is too small; further testing needed)" @@ -13316,7 +13372,7 @@ { "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Rare legitimate access to anonfiles.com" @@ -13349,7 +13405,7 @@ { "description": "Detects DNS queries for subdomains used for upload to MEGA.io", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Legitimate DNS queries and usage of Mega" @@ -13382,7 +13438,7 @@ { "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/02/20", "falsepositive": [ "Unlikely" @@ -13415,7 +13471,7 @@ { "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Legitimate DNS queries and usage of Ufile" @@ -13448,7 +13504,7 @@ { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Unknown" @@ -13458,8 +13514,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -13492,9 +13548,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13565,11 +13621,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13601,7 +13657,7 @@ { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -13611,9 +13667,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], @@ -13627,7 +13683,7 @@ { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -13637,9 +13693,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], @@ -13653,7 +13709,7 @@ { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -13663,9 +13719,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], @@ -13679,7 +13735,7 @@ { "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Legitimate AppX packages not signed by MS used part of an enterprise" @@ -13689,9 +13745,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], @@ -13729,7 +13785,7 @@ { "description": "Detects potential installation or installation attempts of known malicious appx packages", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" @@ -13778,7 +13834,7 @@ { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/27", "falsepositive": [ "Unknown" @@ -13802,7 +13858,7 @@ { "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", "meta": { - "author": "Florian Roth, @testanull", + "author": "Florian Roth (Nextron Systems), @testanull", "creation_date": "2021/11/18", "falsepositive": [ "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" @@ -13859,7 +13915,7 @@ { "description": "Detects a failed installation of a Exchange Transport Agent", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021/06/08", "falsepositive": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." @@ -13869,7 +13925,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" ], "tags": [ @@ -13892,7 +13948,7 @@ { "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unlikely" @@ -13925,7 +13981,7 @@ { "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unlikely" @@ -13949,7 +14005,7 @@ { "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", "meta": { - "author": "Florian Roth, Rich Warren, Christian Burkard", + "author": "Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unlikely" @@ -13973,7 +14029,7 @@ { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021/06/08", "falsepositive": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." @@ -13983,7 +14039,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml" ], "tags": [ @@ -14016,8 +14072,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -14040,7 +14096,7 @@ { "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Unknown" @@ -14075,7 +14131,7 @@ { "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Unknown" @@ -14134,7 +14190,7 @@ { "description": "Detects the download of suspicious file type from URLs with IP", "meta": { - "author": "Nasreddine Bencherchali, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth", "creation_date": "2022/09/07", "falsepositive": [ "Unknown" @@ -14167,7 +14223,7 @@ { "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Unknown" @@ -14201,7 +14257,7 @@ { "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", "meta": { - "author": "Florian Roth, @0xrawsec", + "author": "Florian Roth (Nextron Systems), @0xrawsec", "creation_date": "2018/06/03", "falsepositive": [ "Unknown" @@ -14365,9 +14421,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -14381,7 +14437,7 @@ { "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/16", "falsepositive": [ "Unknown" @@ -14426,8 +14482,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14461,9 +14517,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -14488,7 +14544,7 @@ { "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/01", "falsepositive": [ "Software installers downloaded and used by users" @@ -14522,8 +14578,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -14547,8 +14603,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -14596,7 +14652,7 @@ { "description": "Sysmon registry detection of a local hidden user account.", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/05/03", "falsepositive": [ "Unknown" @@ -14629,7 +14685,7 @@ { "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/31", "falsepositive": [ "Unknown" @@ -14728,8 +14784,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14778,7 +14834,7 @@ { "description": "Detects NetNTLM downgrade attack", "meta": { - "author": "Florian Roth, wagga", + "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2018/03/20", "falsepositive": [ "Unknown" @@ -14803,7 +14859,7 @@ { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "creation_date": "2018/03/15", "falsepositive": [ "Unlikely" @@ -14983,8 +15039,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -15123,7 +15179,7 @@ { "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -15185,7 +15241,7 @@ { "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/02/26", "falsepositive": [ "Unlikely" @@ -15195,8 +15251,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -15252,7 +15308,7 @@ { "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2018/03/23", "falsepositive": [ "Unknown" @@ -15299,7 +15355,7 @@ { "description": "Detects Pandemic Windows Implant", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/06/01", "falsepositive": [ "Unknown" @@ -15333,7 +15389,7 @@ { "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/26", "falsepositive": [ "Unknown" @@ -15366,7 +15422,7 @@ { "description": "Detects the deletion of registry keys containing the MSTSC connection history", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/10/19", "falsepositive": [ "Unknown" @@ -15376,8 +15432,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -15435,8 +15492,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -15450,7 +15507,7 @@ { "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Legitimate administrators removing applications (should always be monitored)" @@ -15486,9 +15543,9 @@ "refs": [ "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15545,8 +15602,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -15594,7 +15651,7 @@ { "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Legitimate use of SysInternals tools" @@ -15627,7 +15684,7 @@ { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate new entry added by windows" @@ -15651,7 +15708,7 @@ { "description": "Detects the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Unlikely" @@ -15694,11 +15751,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -15712,7 +15769,7 @@ { "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate security products adding their own AMSI providers" @@ -15814,9 +15871,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/991447379864932352", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -15839,7 +15896,7 @@ { "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/10", "falsepositive": [ "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" @@ -15883,8 +15940,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -15934,7 +15991,7 @@ { "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Unknown" @@ -15944,8 +16001,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -15992,7 +16049,7 @@ { "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2022/02/24", "falsepositive": [ "Legitimate disabling of crashdumps" @@ -16059,7 +16116,7 @@ { "description": "Detects the manipulation of persistent URLs which can be malicious", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021/06/09", "falsepositive": [ "Unknown" @@ -16069,8 +16126,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -16105,10 +16162,47 @@ "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, + { + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", + "meta": { + "author": "frack113", + "creation_date": "2023/01/27", + "falsepositive": [ + "Installers and updaters may set currently in use files for rename after a reboot." + ], + "filename": "registry_set_susp_pendingfilerenameoperations.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", + "value": "Potential PendingFileRenameOperations Tamper" + }, { "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Unlikely" @@ -16118,8 +16212,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -16132,7 +16226,7 @@ { "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/08", "falsepositive": [ "Unknown" @@ -16169,8 +16263,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -16195,12 +16289,12 @@ "logsource.product": "windows", "refs": [ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -16239,7 +16333,7 @@ { "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/12", "falsepositive": [ "Unknown" @@ -16249,8 +16343,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -16275,8 +16369,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -16300,7 +16394,7 @@ { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "This value is not set by default but could be rarly used by administrators" @@ -16324,7 +16418,7 @@ { "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -16448,9 +16542,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16535,8 +16629,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -16571,9 +16665,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16587,7 +16681,7 @@ { "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/12", "falsepositive": [ "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" @@ -16597,8 +16691,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -16655,8 +16749,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16695,7 +16789,7 @@ { "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/09", "falsepositive": [ "Unknown" @@ -16753,7 +16847,7 @@ { "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate SIP being registered by the OS or different software." @@ -16763,9 +16857,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16801,8 +16895,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16816,7 +16910,7 @@ { "description": "Detects the manipulation of persistent URLs which could execute malicious code", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021/06/10", "falsepositive": [ "Unknown" @@ -16931,7 +17025,7 @@ { "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Unlikely" @@ -17099,8 +17193,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -17134,8 +17228,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -17149,7 +17243,7 @@ { "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", "meta": { - "author": "Florian Roth, oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2018/07/18", "falsepositive": [ "Unknown" @@ -17183,8 +17277,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -17210,7 +17304,7 @@ { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Unknown" @@ -17231,10 +17325,44 @@ "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", "value": "Persistence Via Disk Cleanup Handler - Autorun" }, + { + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "meta": { + "author": "frack113", + "creation_date": "2023/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_xll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "value": "Potential Persistence Via Excel Add-in - Registry" + }, { "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/09", "falsepositive": [ "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" @@ -17267,8 +17395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" ], "tags": [ @@ -17291,7 +17419,7 @@ { "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "meta": { - "author": "Florian Roth, Markus Neis, Sander Wiebing", + "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "creation_date": "2018/08/25", "falsepositive": [ "Software using weird folders for updates" @@ -17348,7 +17476,7 @@ { "description": "Detect the creation of a service with a service binary located in a suspicious directory", "meta": { - "author": "Florian Roth, frack113", + "author": "Florian Roth (Nextron Systems), frack113", "creation_date": "2022/05/02", "falsepositive": [ "Unknown" @@ -17442,9 +17570,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17458,7 +17586,7 @@ { "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/09", "falsepositive": [ "Unknown" @@ -17560,12 +17688,12 @@ "logsource.product": "windows", "refs": [ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17625,8 +17753,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17652,8 +17780,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17758,7 +17886,7 @@ { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -17792,7 +17920,7 @@ { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -17826,7 +17954,7 @@ { "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Unlikely" @@ -17836,8 +17964,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -17850,7 +17978,7 @@ { "description": "Detects the Setting of Windows Defender Exclusions", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/07/06", "falsepositive": [ "Administrator actions" @@ -17885,8 +18013,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17921,8 +18049,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -17936,7 +18064,7 @@ { "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/04", "falsepositive": [ "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" @@ -17993,7 +18121,7 @@ { "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/05/30", "falsepositive": [ "Legitimate applications registering a new custom protocol handler" @@ -18014,39 +18142,6 @@ "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "value": "Potential Persistence Via Custom Protocol Handler" }, - { - "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_add_hidden_user.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ] - }, - "related": [ - { - "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", - "value": "User Account Hidden By Registry" - }, { "description": "Attempts to detect system changes made by Blue Mockingbird", "meta": { @@ -18084,7 +18179,7 @@ { "description": "Detect the creation of a service with a service binary located in a uncommon directory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/02", "falsepositive": [ "Unknown" @@ -18152,8 +18247,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], @@ -18178,8 +18273,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -18202,7 +18297,7 @@ { "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", "meta": { - "author": "Omer Yampel, Christian Burkard", + "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "creation_date": "2017/03/17", "falsepositive": [ "Unknown" @@ -18212,8 +18307,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -18238,7 +18333,7 @@ { "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Unlikely" @@ -18411,7 +18506,7 @@ { "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Legitmate use of the multi session functionality" @@ -18492,7 +18587,7 @@ { "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Unknown" @@ -18502,8 +18597,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -18549,7 +18644,7 @@ { "description": "Detects UAC bypass method using Windows event viewer", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/19", "falsepositive": [ "Unknown" @@ -18559,8 +18654,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -18597,8 +18692,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18612,7 +18707,7 @@ { "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" @@ -18648,8 +18743,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18696,7 +18791,7 @@ { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" @@ -18706,8 +18801,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18720,7 +18815,7 @@ { "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Unlikely" @@ -18756,8 +18851,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18806,9 +18901,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18841,9 +18936,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18856,9 +18951,9 @@ "value": "DHCP Callout DLL Installation" }, { - "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022/07/12", "falsepositive": [ "Unknown" @@ -18868,6 +18963,7 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], @@ -18886,7 +18982,7 @@ } ], "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", - "value": "Hide User Account Via Special Accounts Reg Key" + "value": "Hiding User Account Via SpecialAccounts Registry Key" }, { "description": "Bypasses User Account Control using a fileless method", @@ -18901,9 +18997,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -18993,8 +19089,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], @@ -19020,7 +19116,7 @@ { "description": "Detects tamper attempts to sophos av functionality via registry key modification", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/02", "falsepositive": [ "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" @@ -19044,7 +19140,7 @@ { "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/01", "falsepositive": [ "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" @@ -19112,7 +19208,7 @@ { "description": "Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/20", "falsepositive": [ "Unknown" @@ -19218,7 +19314,7 @@ { "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Unlikely" @@ -19276,7 +19372,7 @@ { "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", "meta": { - "author": "EagleEye Team, Florian Roth, NVISO", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "creation_date": "2020/05/13", "falsepositive": [ "New printer port install on host" @@ -19347,8 +19443,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -19406,9 +19502,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -19431,7 +19527,7 @@ { "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/10", "falsepositive": [ "Unlikely" @@ -19441,8 +19537,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/autodialdll.html", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -19517,9 +19613,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19576,8 +19672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], @@ -19601,7 +19697,7 @@ { "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "creation_date": "2017/11/10", "falsepositive": "No established falsepositives", "filename": "registry_set_mal_adwind.yml", @@ -19609,8 +19705,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19686,9 +19782,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19726,7 +19822,7 @@ { "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/25", "falsepositive": [ "Unknown" @@ -19737,8 +19833,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -19762,9 +19858,9 @@ "logsource.product": "windows", "refs": [ "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/elastic/detection-rules/issues/1371", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19809,44 +19905,10 @@ "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "value": "Disable Windows Security Center Notifications" }, - { - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "meta": { - "author": "frack113", - "creation_date": "2023/01/15", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_persistance_xll.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistance_xll.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.006" - ] - }, - "related": [ - { - "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "961e33d1-4f86-4fcf-80ab-930a708b2f82", - "value": "Potential Persistence Via Excel Add-in - Registry" - }, { "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/26", "falsepositive": [ "Unlikely" @@ -19879,7 +19941,7 @@ { "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Unknown" @@ -19914,17 +19976,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19948,7 +20010,7 @@ { "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", "falsepositive": [ "Probable legitimate applications. If you find these please add them to an exclusion list" @@ -19993,8 +20055,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -20008,7 +20070,7 @@ { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/23", "falsepositive": [ "Other legitimate network providers used and not filtred in this rule" @@ -20018,8 +20080,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -20052,8 +20114,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -20068,7 +20130,7 @@ { "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/04", "falsepositive": [ "Unknown" @@ -20093,7 +20155,7 @@ { "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate registration of IFilters by the OS or software" @@ -20104,9 +20166,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -20119,7 +20181,7 @@ { "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/05", "falsepositive": [ "Unknown" @@ -20143,7 +20205,7 @@ { "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/22", "falsepositive": [ "Unlikely" @@ -20178,8 +20240,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -20265,8 +20327,8 @@ "logsource.product": "windows", "refs": [ "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -20323,7 +20385,7 @@ { "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/07", "falsepositive": [ "Other DLLs with that import hash" @@ -20356,7 +20418,7 @@ { "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", "meta": { - "author": "Nasreddine Bencherchali, Subhash Popuri (@pbssubhash)", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "creation_date": "2022/12/16", "falsepositive": [ "Unlikely" @@ -20366,8 +20428,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -20395,9 +20457,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -20472,8 +20534,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20600,7 +20662,7 @@ { "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/17", "falsepositive": [ "Unknown" @@ -20678,8 +20740,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" ], "tags": [ @@ -20762,7 +20824,7 @@ { "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/01", "falsepositive": [ "FP could occure if the legitimate version of vmGuestLib already exists on the system" @@ -20789,7 +20851,7 @@ { "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/09", "falsepositive": [ "Unknown" @@ -20799,12 +20861,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20821,7 +20883,7 @@ { "description": "Detects DLL sideloading of DLLs that are part of web browsers", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/08/17", "falsepositive": [ "Unknown" @@ -20848,7 +20910,7 @@ { "description": "Detects DLL sideloading of \"dbgcore.dll\"", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/10/25", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" @@ -20919,8 +20981,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20995,7 +21057,7 @@ { "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Legitimate applications loading their own versions of the DLLs mentioned in this rule" @@ -21005,10 +21067,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://hijacklibs.net/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -21025,7 +21087,7 @@ { "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/30", "falsepositive": [ "Unikely" @@ -21088,6 +21150,32 @@ "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "value": "Active Directory Kerberos DLL Loaded Via Office Applications" }, + { + "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "value": "Aruba Network Service Potential DLL Sideloading" + }, { "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "meta": { @@ -21102,8 +21190,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], "tags": [ @@ -21124,9 +21212,9 @@ "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" }, { - "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/08/17", "falsepositive": [ "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", @@ -21150,12 +21238,12 @@ ] }, "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "value": "Antivirus Software DLL Sideloading" + "value": "Potential Antivirus Software DLL Sideloading" }, { "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/08/17", "falsepositive": [ "Unknown" @@ -21252,10 +21340,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -21339,8 +21427,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -21357,7 +21445,7 @@ { "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/09/27", "falsepositive": [ "Unlikely" @@ -21390,7 +21478,7 @@ { "description": "Detects DLL sideloading of \"dbghelp.dll\"", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/10/25", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" @@ -21417,7 +21505,7 @@ { "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/01", "falsepositive": [ "Unknown" @@ -21478,7 +21566,7 @@ { "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Unlikely" @@ -21546,7 +21634,7 @@ { "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/02", "falsepositive": [ "Unlikely" @@ -21636,7 +21724,7 @@ { "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/17", "falsepositive": [ "Unknown" @@ -21684,7 +21772,7 @@ { "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/09/07", "falsepositive": [ "Rarely observed" @@ -21721,8 +21809,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -21758,8 +21846,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" ], "tags": [ @@ -21877,8 +21965,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -21905,7 +21993,7 @@ { "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022/08/17", "falsepositive": [ "Unlikely" @@ -21943,8 +22031,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21969,8 +22057,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], @@ -22027,7 +22115,7 @@ { "description": "Detects suspicious encoded payloads in WMI Event Consumers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/09/01", "falsepositive": [ "Unknown" @@ -22101,7 +22189,7 @@ { "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2019/04/15", "falsepositive": [ "Legitimate administrative scripts" @@ -22111,9 +22199,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -22146,9 +22234,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -22182,8 +22270,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -22290,7 +22378,7 @@ { "description": "Detects PowerShell called from an executable by the version mismatch method", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -22334,8 +22422,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -22393,7 +22481,7 @@ { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { - "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", + "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "creation_date": "2017/03/22", "falsepositive": [ "Unknown" @@ -22527,7 +22615,7 @@ { "description": "Detects suspicious PowerShell download command", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "PowerShell scripts that download content from the Internet" @@ -22755,7 +22843,7 @@ { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "meta": { - "author": "Nasreddine Bencherchali, frack113", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2023/01/22", "falsepositive": [ "Legitimate use of the library for administrative activity" @@ -22765,9 +22853,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -22817,8 +22905,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22977,7 +23065,7 @@ { "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/16", "falsepositive": [ "Unknown" @@ -22987,8 +23075,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -23079,7 +23167,7 @@ { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/20", "falsepositive": [ "Unknown" @@ -23089,21 +23177,21 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/calebstewart/CVE-2021-1675", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -23307,7 +23395,7 @@ { "description": "Detects suspicious PowerShell download command", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "PowerShell scripts that download content from the Internet" @@ -23410,7 +23498,7 @@ "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", "meta": { "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2023/01/20", + "creation_date": "2023/01/23", "falsepositive": [ "Unknown" ], @@ -23419,23 +23507,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/PowerShellMafia/PowerSploit", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/samratashok/nishang", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/besimorhino/powercat", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -23458,7 +23546,7 @@ { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { - "author": "Florian Roth (rule)", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/12", "falsepositive": [ "Very special / sneaky PowerShell scripts" @@ -23593,7 +23681,7 @@ { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { - "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -23635,8 +23723,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -23660,8 +23748,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23815,6 +23903,30 @@ "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", "value": "Change User Agents with WebRequest" }, + { + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + ], + "filename": "posh_ps_add_windows_capability.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", + "value": "Add New Windows Capability - ScriptBlock" + }, { "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "meta": { @@ -23861,8 +23973,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -23895,8 +24007,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -24030,8 +24142,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -24154,8 +24266,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -24248,7 +24360,7 @@ { "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/09", "falsepositive": [ "Unknown" @@ -24293,10 +24405,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -24395,7 +24507,7 @@ { "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/04", "falsepositive": [ "Unlikely" @@ -24463,7 +24575,7 @@ { "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/17", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" @@ -24473,9 +24585,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -24489,7 +24601,7 @@ { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", "falsepositive": [ "Rare intended use of hidden services", @@ -24541,7 +24653,7 @@ { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { - "author": "Florian Roth (rule)", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/12", "falsepositive": [ "Very special / sneaky PowerShell scripts" @@ -24649,10 +24761,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://woshub.com/manage-windows-firewall-powershell/", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24710,7 +24822,7 @@ { "description": "Detects potential exfiltration attempt via audio file using PowerShell", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", "falsepositive": [ "Unknown" @@ -24824,7 +24936,7 @@ { "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/26", "falsepositive": [ "Unknown" @@ -24834,10 +24946,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24850,7 +24962,7 @@ { "description": "Detects powershell scripts that import modules from suspicious directories", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/07", "falsepositive": [ "Unknown" @@ -24950,8 +25062,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -25046,8 +25158,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -25070,7 +25182,7 @@ { "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -25106,9 +25218,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -25165,8 +25277,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -25339,7 +25451,7 @@ { "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Legitimate PowerShell scripts" @@ -25522,7 +25634,7 @@ { "description": "Detects suspicious PowerShell download command", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "PowerShell scripts that download content from the Internet" @@ -25564,8 +25676,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -25588,7 +25700,7 @@ { "description": "Detects PowerShell calling a credential prompt", "meta": { - "author": "John Lambert (idea), Florian Roth (rule)", + "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "creation_date": "2017/04/09", "falsepositive": [ "Unknown" @@ -25598,8 +25710,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -25633,8 +25745,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -25691,7 +25803,7 @@ { "description": "Detects keywords from well-known PowerShell exploitation frameworks", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -25792,7 +25904,7 @@ { "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/16", "falsepositive": [ "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" @@ -25825,9 +25937,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -25921,8 +26033,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -26049,8 +26161,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -26073,7 +26185,7 @@ { "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/21", "falsepositive": [ "Legitimate administration scripts" @@ -26106,8 +26218,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], @@ -26155,7 +26267,7 @@ { "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/04", "falsepositive": [ "Unknown" @@ -26179,7 +26291,7 @@ { "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021/09/21", "falsepositive": [ "Diagnostics" @@ -26211,7 +26323,7 @@ { "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (update)", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/23", "falsepositive": [ "Legitimate use of the library for administrative activity" @@ -26319,8 +26431,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -26368,8 +26480,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -26494,7 +26606,7 @@ { "description": "Detects the use of PSAttack PowerShell hack tool", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", + "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -26537,8 +26649,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -26596,8 +26708,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -26654,7 +26766,7 @@ { "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/26", "falsepositive": [ "Legitimate usage of the cmdlet to forward emails" @@ -26677,7 +26789,7 @@ { "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/12", "falsepositive": [ "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" @@ -26687,9 +26799,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -26766,7 +26878,7 @@ { "description": "Detects Commandlet names from ShellIntel exploitation scripts.", "meta": { - "author": "Max Altgelt, Tobias Michalski", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unknown" @@ -26799,7 +26911,7 @@ { "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Unknown" @@ -26810,8 +26922,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26834,7 +26946,7 @@ { "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/09", "falsepositive": [ "Unknown" @@ -26870,8 +26982,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -26952,7 +27064,7 @@ { "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/17", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" @@ -27068,7 +27180,7 @@ { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/24", "falsepositive": [ "Rare intended use of hidden services", @@ -27129,7 +27241,7 @@ { "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/21", "falsepositive": [ "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" @@ -27139,8 +27251,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -27173,8 +27285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -27339,7 +27451,7 @@ { "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", "meta": { - "author": "Florian Roth, Perez Diego (@darkquassar)", + "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)", "creation_date": "2019/02/11", "falsepositive": [ "Unknown" @@ -27349,10 +27461,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -27405,6 +27517,31 @@ "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", "value": "Recon Information for Export with PowerShell" }, + { + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Legitimate usage of the features listed in the rule." + ], + "filename": "posh_ps_enable_susp_windows_optional_feature.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "55c925c1-7195-426b-a136-a9396800e29b", + "value": "Potential Suspicious Windows Feature Enabled" + }, { "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", "meta": { @@ -27476,8 +27613,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -27566,7 +27703,7 @@ { "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/08", "falsepositive": [ "Unknown" @@ -27599,7 +27736,7 @@ { "description": "Detects Base64 encoded Shellcode", "meta": { - "author": "David Ledbetter (shellcode), Florian Roth (rule)", + "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "creation_date": "2018/11/17", "falsepositive": [ "Unknown" @@ -27635,7 +27772,7 @@ { "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/04/23", "falsepositive": [ "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" @@ -27732,35 +27869,10 @@ "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, - { - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_enable_windowsoptionalfeature.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "55c925c1-7195-426b-a136-a9396800e29b", - "value": "Potential Suspicious Windows Feature Enabled" - }, { "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/04", "falsepositive": [ "Unknown" @@ -27772,8 +27884,8 @@ "refs": [ "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27889,8 +28001,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -27952,21 +28064,21 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/calebstewart/CVE-2021-1675", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -28071,8 +28183,8 @@ "logsource.product": "windows", "refs": [ "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", - "https://www.shellhacks.com/clear-history-powershell/", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -28129,7 +28241,7 @@ { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { - "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -28213,9 +28325,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -28377,8 +28489,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -28436,7 +28548,7 @@ { "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/05", "falsepositive": [ "Unknown" @@ -28505,9 +28617,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28573,8 +28685,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -28631,8 +28743,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -28690,7 +28802,7 @@ { "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/04/23", "falsepositive": [ "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" @@ -28825,8 +28937,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" ], "tags": [ @@ -28882,7 +28994,7 @@ { "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "meta": { - "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "creation_date": "2018/11/30", "falsepositive": [ "Unknown" @@ -28983,7 +29095,7 @@ { "description": "Detects remote thread injection events based on action seen used by bumblebee", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -29058,7 +29170,7 @@ { "description": "Detects a remote thread creation in suspicious target images", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/16", "falsepositive": [ "Unknown" @@ -29102,8 +29214,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], @@ -29137,8 +29249,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -29196,8 +29308,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -29212,7 +29324,7 @@ { "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/25", "falsepositive": [ "Unknown" @@ -29299,7 +29411,7 @@ { "description": "Detects PowerShell remote thread creation in Rundll32.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/25", "falsepositive": [ "Unknown" @@ -29341,7 +29453,7 @@ { "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/16", "falsepositive": [ "Legitimate BIOS driver updates (should be rare)" @@ -29382,7 +29494,7 @@ { "description": "Detects a driver load from a temporary directory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/12", "falsepositive": [ "There is a relevant set of false positives depending on applications in the environment" @@ -29406,7 +29518,7 @@ { "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", "falsepositive": [ "Unknown" @@ -29430,7 +29542,7 @@ { "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/25", "falsepositive": [ "Unknown" @@ -29440,11 +29552,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/fengjixuchui/gdrv-loader", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -29458,7 +29570,7 @@ { "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/18", "falsepositive": [ "Unlikely" @@ -29482,7 +29594,7 @@ { "description": "Detects the load of known vulnerable drivers via their names only.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/03", "falsepositive": [ "False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", @@ -29494,17 +29606,17 @@ "logsource.product": "windows", "refs": [ "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/namazso/physmem_drivers", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/namazso/physmem_drivers", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/stong/CVE-2020-15368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29561,7 +29673,7 @@ { "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/26", "falsepositive": [ "Unknown" @@ -29571,8 +29683,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -29586,7 +29698,7 @@ { "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/30", "falsepositive": [ "Legitimate WinDivert driver usage" @@ -29629,7 +29741,7 @@ { "description": "Detects the load of known vulnerable drivers by hash value", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/18", "falsepositive": [ "Unknown" @@ -29639,22 +29751,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/namazso/physmem_drivers", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/jbaines-r7/dellicious", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://github.com/namazso/physmem_drivers", "https://github.com/tandasat/ExploitCapcom", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29678,7 +29790,7 @@ { "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/05", "falsepositive": [ "Legitimate BIOS driver updates (should be rare)" @@ -29720,7 +29832,7 @@ { "description": "Detects well-known credential dumping tools execution via service execution events", "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2017/03/05", "falsepositive": [ "Legitimate Administrator using credential dumping tool for password recovery" @@ -29795,7 +29907,7 @@ { "description": "Detects the load of drivers used by Process Hacker and System Informer", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/16", "falsepositive": [ "Legitimate user of process hacker or system informer by low level developers or system administrators" @@ -29806,8 +29918,8 @@ "logsource.product": "windows", "refs": [ "https://processhacker.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ @@ -29831,7 +29943,7 @@ { "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/26", "falsepositive": [ "Unknown" @@ -29841,8 +29953,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29856,7 +29968,7 @@ { "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/10", "falsepositive": [ "Legitimate driver loads (old driver that didn't receive an update)" @@ -29891,7 +30003,7 @@ { "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/13", "falsepositive": [ "Administrative scripts", @@ -29925,7 +30037,7 @@ { "description": "Detects an executable in the Windows folder accessing github.com", "meta": { - "author": "Michael Haag (idea), Florian Roth (rule)", + "author": "Michael Haag (idea), Florian Roth (Nextron Systems)", "creation_date": "2017/08/24", "falsepositive": [ "Unknown", @@ -29936,9 +30048,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", "https://twitter.com/M_haggis/status/900741347035889665", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29980,8 +30092,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -30005,8 +30117,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" ], "tags": [ @@ -30032,9 +30144,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", - "https://content.fireeye.com/apt-41/rpt-apt41", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -30098,7 +30210,7 @@ { "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/03", "falsepositive": [ "Unknown" @@ -30121,7 +30233,7 @@ { "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/05", "falsepositive": [ "Unknown" @@ -30188,7 +30300,7 @@ { "description": "Detects a rundll32 that communicates with public IP addresses", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/11/04", "falsepositive": [ "Communication to other corporate systems that use IP addresses from public address spaces" @@ -30258,8 +30370,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -30369,7 +30481,7 @@ { "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/29", "falsepositive": [ "Unknown" @@ -30379,8 +30491,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -30508,7 +30620,7 @@ { "description": "Detects an executable in the Windows folder accessing suspicious domains", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/08/30", "falsepositive": [ "Unknown" @@ -30518,10 +30630,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://twitter.com/M_haggis/status/900741347035889665", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -30544,7 +30656,7 @@ { "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/03", "falsepositive": [ "Legitimate use of ngrok" @@ -30612,7 +30724,7 @@ { "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/19", "falsepositive": [ "Unknown" @@ -30760,7 +30872,7 @@ { "description": "Detects programs with network connections running in suspicious files system locations", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2017/03/19", "falsepositive": [ "Unknown" @@ -30829,7 +30941,7 @@ { "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/16", "falsepositive": [ "Legitimate use of ngrok.io" @@ -30839,8 +30951,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30940,7 +31052,7 @@ { "description": "Detects suspicious network connection by Cmstp", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/30", "falsepositive": [ "Unknown" @@ -30973,7 +31085,7 @@ { "description": "Detects network connections from Equation Editor", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/04/14", "falsepositive": [ "Unknown" @@ -31007,7 +31119,7 @@ { "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/20", "falsepositive": [ "Legitimate use of the API with a tool that the author wasn't aware of" @@ -31029,7 +31141,7 @@ { "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/06", "falsepositive": [ "Legitimate use of mega.nz uploaders and tools" @@ -31063,7 +31175,7 @@ { "description": "Detects process connections to a Monero crypto mining pool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/26", "falsepositive": [ "Legitimate use of crypto miners" @@ -31130,7 +31242,7 @@ { "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Unknown" @@ -31172,7 +31284,7 @@ { "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", "meta": { - "author": "Nasreddine Bencherchali, Subhash P (@pbssubhash)", + "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "creation_date": "2022/12/16", "falsepositive": [ "Unknown" @@ -31182,8 +31294,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -31198,7 +31310,7 @@ { "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", "meta": { - "author": "Nasreddine Bencherchali, frack113", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022/11/07", "falsepositive": [ "Users creating a shortcut on e.g. desktop" @@ -31208,11 +31320,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -31268,7 +31380,7 @@ { "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/29", "falsepositive": [ "Unknown" @@ -31278,8 +31390,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -31346,7 +31458,7 @@ { "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ "Legitimate use of the profile by developers or administrators" @@ -31404,7 +31516,7 @@ { "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/15", "falsepositive": [ "Unknown" @@ -31415,10 +31527,10 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.google.com/search?q=procdump+lsass", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -31475,7 +31587,7 @@ { "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/02/04", "falsepositive": [ "Very unlikely" @@ -31519,8 +31631,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -31544,7 +31656,7 @@ { "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Unlikely" @@ -31568,7 +31680,7 @@ { "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", "meta": { - "author": "Nasreddine Bencherchali, frack113", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022/06/19", "falsepositive": [ "Unlikely" @@ -31578,11 +31690,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -31686,7 +31798,7 @@ { "description": "Detects a Windows executable that writes files to suspicious folders", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/20", "falsepositive": [ "Unknown" @@ -31797,9 +31909,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" ], "tags": [ @@ -31906,7 +32018,7 @@ { "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/06/29", "falsepositive": [ "Unknown" @@ -32013,8 +32125,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -32040,7 +32152,7 @@ { "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/18", "falsepositive": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" @@ -32050,8 +32162,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -32066,7 +32178,7 @@ { "description": "Detects the creation of log files during a TeamViewer remote session", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/30", "falsepositive": [ "Legitimate uses of TeamViewer in an organisation" @@ -32191,7 +32303,7 @@ { "description": "Detects creation of template files for Microsoft Office from outside Office", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/06/02", "falsepositive": [ "Loading a user environment from a backup or a domain controller", @@ -32258,7 +32370,7 @@ { "description": "Detects the presence and execution of Inveigh via dropped artefacts", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/24", "falsepositive": [ "Unlikely" @@ -32269,8 +32381,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -32328,7 +32440,7 @@ { "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/28", "falsepositive": [ "Unknown" @@ -32395,11 +32507,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -32413,7 +32525,7 @@ { "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/09", "falsepositive": [ "Unknown" @@ -32423,8 +32535,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" ], "tags": [ @@ -32437,7 +32549,7 @@ { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -32471,7 +32583,7 @@ { "description": "Detects the creation of known offensive powershell scripts used for exploitation", "meta": { - "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "creation_date": "2018/04/07", "falsepositive": [ "Unknown" @@ -32481,23 +32593,23 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/PowerShellMafia/PowerSploit", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/samratashok/nishang", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/besimorhino/powercat", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -32520,7 +32632,7 @@ { "description": "Detects suspicious file type dropped by an Exchange component in IIS", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/04", "falsepositive": [ "Unknown" @@ -32530,9 +32642,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -32557,7 +32669,7 @@ { "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Unknown" @@ -32783,7 +32895,7 @@ { "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -32817,7 +32929,7 @@ { "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/06", "falsepositive": [ "Unlikely" @@ -32934,7 +33046,7 @@ { "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", "falsepositive": [ "Unknown" @@ -32991,8 +33103,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -33015,7 +33127,7 @@ { "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/22", "falsepositive": [ "Unknown", @@ -33050,7 +33162,7 @@ { "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/08", "falsepositive": [ "Unlikely" @@ -33084,8 +33196,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" @@ -33110,7 +33222,7 @@ { "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", "meta": { - "author": "Antonio Cocomazzi (idea), Florian Roth (rule)", + "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "creation_date": "2022/04/27", "falsepositive": [ "Unknown" @@ -33121,8 +33233,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -33136,7 +33248,7 @@ { "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", "meta": { - "author": "Florian Roth (rule), MSTI (query, idea)", + "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "creation_date": "2022/10/01", "falsepositive": [ "Unknown" @@ -33146,9 +33258,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -33162,7 +33274,7 @@ { "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "creation_date": "2017/11/10", "falsepositive": "No established falsepositives", "filename": "file_event_win_mal_adwind.yml", @@ -33170,8 +33282,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -33202,7 +33314,7 @@ { "description": "Detects the creation of new Outlook form which can contain malicious code", "meta": { - "author": "Tobias Michalski", + "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021/06/10", "falsepositive": [ "Unknown" @@ -33245,8 +33357,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -33279,8 +33391,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" ], "tags": [ @@ -33336,7 +33448,7 @@ { "description": "Detects the creation of the default output filename used by the wmicexec tool", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/02", "falsepositive": [ "Unlikely" @@ -33463,8 +33575,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -33545,7 +33657,7 @@ { "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -33579,7 +33691,7 @@ { "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/11", "falsepositive": [ "Unknown" @@ -33615,7 +33727,7 @@ { "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/11", "falsepositive": [ "Unknown" @@ -33625,9 +33737,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33684,7 +33796,7 @@ { "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", "meta": { - "author": "Florian Roth, Sittikorn S", + "author": "Florian Roth (Nextron Systems), Sittikorn S", "creation_date": "2021/09/10", "falsepositive": [ "Unknown" @@ -33694,8 +33806,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33718,7 +33830,7 @@ { "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/07", "falsepositive": [ "Administrative activity", @@ -33740,7 +33852,7 @@ { "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/03", "falsepositive": [ "Unknown" @@ -33775,7 +33887,7 @@ { "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/03", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -33785,8 +33897,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33809,7 +33921,7 @@ { "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -33843,7 +33955,7 @@ { "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/11", "falsepositive": [ "Rare cases of administrative activity" @@ -33853,11 +33965,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/FireFart/hivenightmare", - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/cube0x0/CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -33905,7 +34017,7 @@ { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -33997,7 +34109,7 @@ { "description": "Detects files written by the different tools that exploit HiveNightmare", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/23", "falsepositive": [ "Files that accidentally contain these strings" @@ -34007,9 +34119,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/FireFart/hivenightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], @@ -34025,7 +34137,7 @@ { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -34059,7 +34171,7 @@ { "description": "Detects a dump file written by QuarksPwDump password dumper", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/02/10", "falsepositive": [ "Unknown" @@ -34089,6 +34201,30 @@ "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "QuarksPwDump Dump File" }, + { + "description": "Detects creation of files with the \".one\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate usage of \".one\" files from those locations add-ins" + ], + "filename": "file_event_win_one_extension_files_in_susp_locations.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "value": "OneNote Attachment File Dropped In Suspicious Location" + }, { "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", "meta": { @@ -34103,8 +34239,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -34127,7 +34263,7 @@ { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -34297,7 +34433,7 @@ { "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/10", "falsepositive": [ "Possible FPs during first installation of Notepad++", @@ -34321,7 +34457,7 @@ { "description": "Detects windows executables that writes files with suspicious extensions", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Unknown" @@ -34376,7 +34512,7 @@ { "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/11", "falsepositive": [ "Cases in which a user mounts an image file for legitimate reasons" @@ -34387,9 +34523,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -34400,7 +34536,7 @@ { "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/13", "falsepositive": [ "Unknown" @@ -34444,8 +34580,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ @@ -34495,7 +34631,7 @@ { "description": "Detects when a file with a suspicious extension is created in the startup folder", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/10", "falsepositive": [ "Rare legitimate usage of some of the extensions mentioned in the rule" @@ -34529,8 +34665,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], @@ -34564,8 +34700,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34579,7 +34715,7 @@ { "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/21", "falsepositive": [ "Unlikely" @@ -34589,8 +34725,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_psexec_service_key.yml" ], "tags": [ @@ -34743,7 +34879,7 @@ { "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/27", "falsepositive": [ "Unknown" @@ -34786,8 +34922,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -34876,7 +35012,7 @@ { "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/12", "falsepositive": [ "Unknown" @@ -34942,7 +35078,7 @@ { "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/01", "falsepositive": [ "Unknown" @@ -34952,11 +35088,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -35086,8 +35222,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" ], "tags": [ @@ -35144,8 +35280,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -35161,7 +35297,7 @@ { "description": "Detects the creation of tasks from processes executed from suspicious locations", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/16", "falsepositive": [ "Unknown" @@ -35196,8 +35332,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -35460,7 +35596,7 @@ { "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/26", "falsepositive": [ "Possible FP during log rotation" @@ -35484,7 +35620,7 @@ { "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/11", "falsepositive": [ "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." @@ -35494,8 +35630,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -35518,7 +35654,7 @@ { "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", "falsepositive": [ "Unknown" @@ -35565,8 +35701,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35589,7 +35725,7 @@ { "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", "falsepositive": [ "Unknown" @@ -35599,8 +35735,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -35690,8 +35826,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35747,7 +35883,7 @@ { "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/07/15", "falsepositive": [ "Rare legitimate access to anonfiles.com" @@ -35791,9 +35927,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35826,8 +35962,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -35925,7 +36061,7 @@ { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/09", "falsepositive": [ "Unknown" @@ -35935,8 +36071,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -35959,7 +36095,7 @@ { "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/30", "falsepositive": [ "Unknown binary names of TeamViewer", @@ -36149,7 +36285,7 @@ { "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" @@ -36258,8 +36394,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" ], "tags": [ @@ -36282,7 +36418,7 @@ { "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/28", "falsepositive": [ "Unknown" @@ -36292,8 +36428,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ @@ -36308,7 +36444,7 @@ { "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/17", "falsepositive": [ "Unlikely" @@ -36335,7 +36471,7 @@ { "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/09", "falsepositive": [ "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" @@ -36359,7 +36495,7 @@ { "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/02", "falsepositive": [ "Unlikely" @@ -36426,8 +36562,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -36450,7 +36586,7 @@ { "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/04/15", "falsepositive": [ "Unknown" @@ -36522,11 +36658,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://twitter.com/eral4m/status/1479106975967240209", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], @@ -36550,7 +36686,7 @@ { "description": "Detects a PsExec service start", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/13", "falsepositive": [ "Administrative activity" @@ -36650,7 +36786,7 @@ { "description": "Detects specific process parameters as seen in DTRACK infections", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/30", "falsepositive": [ "Unlikely" @@ -36660,9 +36796,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -36685,7 +36821,7 @@ { "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/29", "falsepositive": [ "Unknown" @@ -36710,7 +36846,7 @@ { "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Case in which administrators are allowed to use ScreenConnect's Backstage mode" @@ -36803,8 +36939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36827,7 +36963,7 @@ { "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/15", "falsepositive": [ "Unknown but benign sub processes of the Windows DNS service dns.exe" @@ -36837,8 +36973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" ], "tags": [ @@ -36870,7 +37006,7 @@ { "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/14", "falsepositive": [ "Legitimate usage to restore snapshots", @@ -36881,8 +37017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -36905,7 +37041,7 @@ { "description": "Detects suspicious use of XORDump process memory dumping utility", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/28", "falsepositive": [ "Another tool that uses the command line switches of XORdump" @@ -36949,9 +37085,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -37005,7 +37141,7 @@ { "description": "Detects the creation of a process from Windows task manager", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/13", "falsepositive": [ "Administrative activity" @@ -37085,7 +37221,7 @@ { "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/08", "falsepositive": [ "Legitimate use" @@ -37128,9 +37264,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910969424215232518", - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -37246,7 +37382,7 @@ { "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Unknown" @@ -37303,8 +37439,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -37337,9 +37473,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "Reegun J (OCBC Bank)", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -37362,7 +37498,7 @@ { "description": "Detects specific process characteristics of Snatch ransomware word document droppers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/08/26", "falsepositive": [ "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" @@ -37395,7 +37531,7 @@ { "description": "Detects indicators of a UAC bypass method by mocking directories", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/27", "falsepositive": [ "Unknown" @@ -37405,9 +37541,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -37440,8 +37576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -37464,7 +37600,7 @@ { "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -37474,9 +37610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], @@ -37510,7 +37646,7 @@ { "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", "meta": { - "author": "Florian Roth, Samir Bousseaden", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "creation_date": "2021/11/27", "falsepositive": [ "Unknown" @@ -37520,9 +37656,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -37564,8 +37700,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" ], "tags": [ @@ -37595,45 +37731,10 @@ "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "Potential PE Metadata Tamper Using Rcedit" }, - { - "description": "Detects base64 encoded listing Win32_Shadowcopy", - "meta": { - "author": "Christian Burkard", - "creation_date": "2022/03/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_listing_shadowcopy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", - "value": "Base64 Encoded Listing of Shadowcopy" - }, { "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Unknown" @@ -37643,8 +37744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], @@ -37658,7 +37759,7 @@ { "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/10", "falsepositive": [ "Other parent binaries using GUP not currently identified" @@ -37691,8 +37792,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -37726,9 +37827,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37782,39 +37883,6 @@ "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "value": "Netsh RDP Port Opening" }, - { - "description": "Detects the Installation of a Exchange Transport Agent", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/08", - "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." - ], - "filename": "proc_creation_win_win_exchange_transportagent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ] - }, - "related": [ - { - "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", - "value": "MSExchange Transport Agent Installation" - }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { @@ -37854,7 +37922,7 @@ { "description": "Detects WannaCry ransomware activity", "meta": { - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -37948,7 +38016,7 @@ { "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", "meta": { - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "creation_date": "2018/04/06", "falsepositive": [ "Unknown" @@ -37980,9 +38048,9 @@ "value": "Microsoft Office Product Spawning Windows Shell" }, { - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "description": "Detects presence of a potentially xor encoded powershell command", "meta": { - "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", + "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "creation_date": "2018/09/05", "falsepositive": [ "Unknown" @@ -37992,10 +38060,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://zero2auto.com/2020/05/19/netwalker-re/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ "attack.defense_evasion", + "attack.execution", "attack.t1059.001", "attack.t1140", "attack.t1027" @@ -38018,12 +38091,12 @@ } ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", - "value": "Suspicious XOR Encoded PowerShell Command Line" + "value": "Suspicious XOR Encoded PowerShell Command" }, { "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Unknown" @@ -38033,8 +38106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -38074,7 +38147,7 @@ { "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/20", "falsepositive": [ "Other programs that use these command line option and accepts an 'All' parameter" @@ -38142,7 +38215,7 @@ { "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/06/25", "falsepositive": [ "Legitimate software creating script event consumers" @@ -38152,8 +38225,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -38211,7 +38284,7 @@ { "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "meta": { - "author": "Nasreddine Bencherchali, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth", "creation_date": "2022/08/25", "falsepositive": [ "Unlikely" @@ -38245,7 +38318,7 @@ { "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/05", "falsepositive": [ "Unknown" @@ -38415,7 +38488,7 @@ { "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/22", "falsepositive": [ "Legitimate use of the PDQDeploy tool to execute these commands" @@ -38438,7 +38511,7 @@ { "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -38448,8 +38521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -38470,7 +38543,7 @@ "value": "Suspicious Sigverif Execution" }, { - "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020/10/11", @@ -38502,7 +38575,7 @@ } ], "uuid": "74403157-20f5-415d-89a7-c505779585cf", - "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" + "value": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, { "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", @@ -38517,8 +38590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -38564,7 +38637,7 @@ { "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Some legitimate apps use this, but limited." @@ -38574,11 +38647,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -38611,7 +38684,7 @@ { "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/09", "falsepositive": [ "Legitimate usage of Adplus" @@ -38621,9 +38694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38647,7 +38720,7 @@ { "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali @nas_bench", "creation_date": "2022/01/24", "falsepositive": [ "Legitimate use by administrators" @@ -38680,45 +38753,10 @@ "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "value": "NirCmd Tool Execution As LOCAL SYSTEM" }, - { - "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", - "meta": { - "author": "pH-T", - "creation_date": "2022/05/31", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", - "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" - }, { "description": "Detects wmiexec vbs version execution by wscript or cscript", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/04/07", "falsepositive": [ "Unlikely" @@ -38752,7 +38790,7 @@ { "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/18", "falsepositive": [ "Unknown" @@ -38775,7 +38813,7 @@ { "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/04/23", "falsepositive": [ "Unknown" @@ -38808,7 +38846,7 @@ { "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/10", "falsepositive": [ "Unknown" @@ -38842,7 +38880,7 @@ { "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/03", "falsepositive": [ "Unknown" @@ -38911,7 +38949,7 @@ { "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "creation_date": "2017/01/01", "falsepositive": [ "Unknown" @@ -38939,7 +38977,7 @@ { "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/14", "falsepositive": [ "Unlikely" @@ -38969,6 +39007,67 @@ "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", "value": "Conhost.exe CommandLine Path Traversal" }, + { + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "meta": { + "author": "pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2022/05/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_base64_invoke.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "value": "PowerShell Base64 Encoded Invoke Keyword" + }, + { + "description": "Detect use of PDQ Deploy remote admin tool", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_pdqdeploy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ] + }, + "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "value": "PDQ Deploy Remote Adminstartion Tool Execution" + }, { "description": "Detects renamed jusched.exe used by cobalt group", "meta": { @@ -39017,8 +39116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" ], "tags": [ @@ -39041,7 +39140,7 @@ { "description": "Detects execution of msiexec from an uncommon directory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/11/14", "falsepositive": [ "Unknown" @@ -39065,7 +39164,7 @@ { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -39096,10 +39195,61 @@ "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "value": "UAC Bypass Using Windows Media Player - Process" }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_execution_via_office_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_execution_via_office_process.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", + "value": "WMI Execution Via Office Process" + }, { "description": "Execution of plink to perform data exfiltration and tunneling", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/04", "falsepositive": [ "Administrative activity" @@ -39127,12 +39277,12 @@ } ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "value": "Suspicious Plink Usage RDP Tunneling" + "value": "Potential RDP Tunneling Via SSH Plink" }, { "description": "Detects suspicious inline VBScript keywords as used by UNC2452", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/05", "falsepositive": [ "Unknown" @@ -39156,7 +39306,7 @@ { "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/30", "falsepositive": [ "Unknown" @@ -39189,7 +39339,7 @@ { "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/11", "falsepositive": [ "Unknown" @@ -39222,7 +39372,7 @@ { "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/14", "falsepositive": [ "Unknown" @@ -39233,8 +39383,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/binderlabs/DirCreate2System", - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -39279,7 +39429,7 @@ { "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/23", "falsepositive": [ "Unknown" @@ -39289,8 +39439,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -39323,10 +39473,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://redcanary.com/blog/raspberry-robin/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -39349,7 +39499,7 @@ { "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -39383,7 +39533,7 @@ { "description": "Detects usage of Dsacls to grant over permissive permissions", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate administrators granting over permissive permissions to users" @@ -39393,8 +39543,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -39417,7 +39567,7 @@ { "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ "Unknown" @@ -39462,9 +39612,9 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], "tags": [ @@ -39524,8 +39674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" ], "tags": [ @@ -39559,10 +39709,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" ], "tags": [ @@ -39661,7 +39811,7 @@ { "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/07/15", "falsepositive": [ "Software installation" @@ -39682,7 +39832,7 @@ { "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/14", "falsepositive": [ "Unlikely" @@ -39716,7 +39866,7 @@ { "description": "Detects a command that accesses password storing registry hives via volume shadow backups", "meta": { - "author": "Max Altgelt, Tobias Michalski", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Some rare backup scenarios" @@ -39726,9 +39876,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39781,41 +39931,6 @@ "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process for cmd.exe" }, - { - "description": "Detects base64 encoded powershell 'Invoke-' call", - "meta": { - "author": "pH-T", - "creation_date": "2022/05/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_base64_invoke.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "value": "Suspicious Base64 Encoded Powershell Invoke" - }, { "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", "meta": { @@ -39852,7 +39967,7 @@ { "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -39920,7 +40035,7 @@ { "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/29", "falsepositive": [ "Programs that use the same command line flags" @@ -39945,7 +40060,7 @@ { "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", "meta": { - "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", + "author": "Nasreddine Bencherchali (Nextron Systems), Victor Sergeev, oscd.community", "creation_date": "2022/05/17", "falsepositive": [ "Unknown" @@ -39979,7 +40094,7 @@ { "description": "Detects Trojan loader activity as used by APT28", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2018/03/01", "falsepositive": [ "Unknown" @@ -39989,9 +40104,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://twitter.com/ClearskySec/status/960924755355369472", + "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], "tags": [ @@ -40022,6 +40137,50 @@ "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", "value": "Sofacy Trojan Loader Activity" }, + { + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "meta": { + "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_base64_reflective_assembly_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "value": "PowerShell Base64 Encoded Reflective Assembly Load" + }, { "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", "meta": { @@ -40084,8 +40243,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -40151,8 +40310,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ @@ -40175,7 +40334,7 @@ { "description": "Detects email exfiltration via powershell cmdlets", "meta": { - "author": "Nasreddine Bencherchali (rule), Azure-Sentinel (idea)", + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "creation_date": "2022/09/09", "falsepositive": [ "Unknown" @@ -40185,8 +40344,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" ], "tags": [ @@ -40199,7 +40358,7 @@ { "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Various applications", @@ -40233,8 +40392,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml" ], "tags": [ @@ -40272,7 +40431,7 @@ { "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2021/11/23", "falsepositive": [ "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", @@ -40283,8 +40442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], @@ -40341,7 +40500,7 @@ { "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/22", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -40351,8 +40510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -40375,7 +40534,7 @@ { "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/03", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -40385,8 +40544,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -40452,14 +40611,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -40501,9 +40660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -40560,7 +40719,7 @@ { "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -40584,7 +40743,7 @@ { "description": "Detects netsh commands that configure a port forwarding (PortProxy)", "meta": { - "author": "Florian Roth, omkar72, oscd.community", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "creation_date": "2019/01/29", "falsepositive": [ "Legitimate administration", @@ -40632,8 +40791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -40657,7 +40816,7 @@ { "description": "Detects a set of suspicious network related commands often used in recon stages", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/07", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -40720,7 +40879,7 @@ { "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/21", "falsepositive": [ "Administrative activity" @@ -40787,7 +40946,7 @@ { "description": "Detects activity mentioned in Operation Wocao report", "meta": { - "author": "Florian Roth, frack113", + "author": "Florian Roth (Nextron Systems), frack113", "creation_date": "2019/12/20", "falsepositive": [ "Administrators that use checkadmin.exe tool to enumerate local administrators" @@ -40885,12 +41044,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -41033,7 +41192,7 @@ { "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", "meta": { - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/10/21", "falsepositive": [ "Unlikely" @@ -41043,8 +41202,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" ], "tags": [ @@ -41069,9 +41228,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -41104,7 +41263,7 @@ { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2020/07/03", "falsepositive": [ "Unknown" @@ -41114,10 +41273,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://twitter.com/max_mal_/status/1542461200797163522", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -41140,7 +41299,7 @@ { "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/04", "falsepositive": [ "Unknown" @@ -41150,8 +41309,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" ], "tags": [ @@ -41164,7 +41323,7 @@ { "description": "Detects possible password spraying attempts using Dsacls", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate use of dsacls to bind to an LDAP session" @@ -41174,9 +41333,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -41260,9 +41419,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -41327,7 +41486,7 @@ { "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2020/10/12", "falsepositive": [ "Unknown" @@ -41358,41 +41517,6 @@ "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "value": "Suspicious WMIC Execution - ProcessCallCreate" }, - { - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "meta": { - "author": "Tim Rauch, Janantha Marasinghe", - "creation_date": "2022/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_iis_service_account_password_dumped.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "value": "Microsoft IIS Service Account Password Dumped" - }, { "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", "meta": { @@ -41429,7 +41553,7 @@ { "description": "Detects the use of Advanced Port Scanner.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/12/18", "falsepositive": [ "Legitimate administrative use", @@ -41455,7 +41579,7 @@ { "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Cases in which procdump just gets copied to a different directory without any renaming" @@ -41489,7 +41613,7 @@ { "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/07", "falsepositive": [ "Unknown" @@ -41499,10 +41623,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -41570,7 +41694,7 @@ { "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", "meta": { - "author": "pH-T, Nasreddine Bencherchali", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/03/15", "falsepositive": [ "Unknown" @@ -41612,7 +41736,7 @@ { "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -41657,8 +41781,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -41691,8 +41815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41716,8 +41840,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -41742,7 +41866,7 @@ { "description": "Detects the creation of scheduled tasks in user session", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Administrative activity", @@ -41830,7 +41954,7 @@ { "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Unknown" @@ -41840,8 +41964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -41887,7 +42011,7 @@ { "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/25", "falsepositive": [ "Legitimate command-lines containing the string mentioned in the command-line" @@ -41930,8 +42054,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -42021,8 +42145,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -42079,7 +42203,7 @@ { "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/22", "falsepositive": [ "Unlikely" @@ -42089,8 +42213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -42103,7 +42227,7 @@ { "description": "Detects commands that temporarily turn off Volume Snapshots", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/28", "falsepositive": [ "Legitimate administration" @@ -42127,7 +42251,7 @@ { "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/09", "falsepositive": [ "Legitimate use for tracing purposes" @@ -42160,7 +42284,7 @@ { "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/27", "falsepositive": [ "Possible but rare" @@ -42193,7 +42317,7 @@ { "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", "meta": { - "author": "Florian Roth, Tim Shelton (fp werfault)", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", "creation_date": "2022/11/10", "falsepositive": [ "Unknown" @@ -42203,9 +42327,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -42249,7 +42373,7 @@ { "description": "Detects specific process parameters as used by Mustang Panda droppers", "meta": { - "author": "Florian Roth, oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2019/10/30", "falsepositive": [ "Unlikely" @@ -42259,9 +42383,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -42284,7 +42408,7 @@ { "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/06", "falsepositive": [ "Unknown" @@ -42294,8 +42418,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -42329,8 +42453,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -42353,7 +42477,7 @@ { "description": "Detects specific process characteristics of Maze ransomware word document droppers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/08", "falsepositive": [ "Unlikely" @@ -42363,9 +42487,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" ], "tags": [ @@ -42405,7 +42529,7 @@ { "description": "Detects when a program changes the default file association of any extension to an executable", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -42439,10 +42563,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -42501,7 +42625,7 @@ { "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ "Unknown" @@ -42536,7 +42660,7 @@ { "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/08/13", "falsepositive": [ "Admin activity", @@ -42548,8 +42672,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" ], "tags": [ @@ -42564,7 +42688,7 @@ { "description": "Detects a ping command that uses a hex encoded IP address", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/23", "falsepositive": [ "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" @@ -42574,8 +42698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -42599,7 +42723,7 @@ { "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", "falsepositive": [ "Unknown" @@ -42609,8 +42733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -42634,7 +42758,7 @@ { "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "creation_date": "2018/09/03", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_susp_powershell_base64_encoded_cmd.yml", @@ -42698,7 +42822,7 @@ { "description": "Detects a ZxShell start by the called and well-known function name", "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2017/07/20", "falsepositive": [ "Unlikely" @@ -42791,27 +42915,31 @@ { "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", "meta": { - "author": "frack113", + "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022/12/29", "falsepositive": [ - "Unknown" + "Legitimate usage for administration purposes" ], "filename": "proc_creation_win_lolbin_ssh.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://man.openbsd.org/ssh_config#LocalCommand", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://gtfobins.github.io/gtfobins/ssh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1202" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -42877,8 +43005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" ], "tags": [ @@ -42898,6 +43026,39 @@ "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", "value": "DLL Execution Via Register-cimprovider.exe" }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/05/20", + "falsepositive": [ + "Legitimate use of AnyDesk from a non-standard folder" + ], + "filename": "proc_creation_win_anydesk_execution_from_susp_folders.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "value": "Anydesk Execution From Suspicious Folder" + }, { "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", "meta": { @@ -42934,7 +43095,7 @@ { "description": "Shadow Copies deletion using operating systems utilities", "meta": { - "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "creation_date": "2019/10/22", "falsepositive": [ "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", @@ -42946,14 +43107,14 @@ "logsource.product": "windows", "refs": [ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -42978,7 +43139,7 @@ { "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Unknown" @@ -43014,8 +43175,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -43059,8 +43220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" ], "tags": [ @@ -43150,7 +43311,7 @@ { "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/10", "falsepositive": [ "Administrative activity" @@ -43183,7 +43344,7 @@ { "description": "Detects suspicious command line arguments of common data compression tools", "meta": { - "author": "Florian Roth, Samir Bousseaden", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "creation_date": "2019/10/15", "falsepositive": [ "Unknown" @@ -43226,11 +43387,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://twitter.com/bohops/status/980659399495741441", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -43253,7 +43414,7 @@ { "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/09", "falsepositive": [ "Unknown" @@ -43296,8 +43457,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" ], "tags": [ @@ -43330,8 +43491,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], @@ -43394,6 +43555,39 @@ "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, + { + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_ssh_rdp_tunneling.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "value": "Potential RDP Tunneling Via SSH" + }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { @@ -43432,7 +43626,7 @@ { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" @@ -43465,7 +43659,7 @@ { "description": "Detects a service binary running in a suspicious directory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/09", "falsepositive": [ "Unknown" @@ -43522,7 +43716,7 @@ { "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/27", "falsepositive": [ "Unlikely" @@ -43532,8 +43726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -43544,7 +43738,7 @@ { "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/11/26", "falsepositive": [ "Unknown" @@ -43554,8 +43748,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -43588,10 +43782,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43616,7 +43810,7 @@ { "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Microsoft Operations Manager (MOM)", @@ -43650,7 +43844,7 @@ { "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/11/18", "falsepositive": [ "Procdump illegaly bundled with legitimate software", @@ -43694,8 +43888,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -43717,7 +43911,7 @@ { "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", "meta": { - "author": "Nasreddine Bencherchali, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2022/06/14", "falsepositive": [ "Legitimate use by a via a batch script or by an administrator." @@ -43751,7 +43945,7 @@ { "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/01/24", "falsepositive": [ "Legitimate use by administrators" @@ -43787,7 +43981,7 @@ { "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/24", "falsepositive": [ "Scripts or tools that download files and execute them" @@ -43830,8 +44024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -43845,7 +44039,7 @@ { "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", "meta": { - "author": "Nik Seetharaman, Christian Burkard", + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "creation_date": "2019/07/31", "falsepositive": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" @@ -43856,9 +44050,9 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/hfiref0x/UACME", + "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43918,7 +44112,7 @@ { "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/21", "falsepositive": [ "Unknown" @@ -43991,7 +44185,7 @@ { "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/04/29", "falsepositive": [ "Possible Admin Activity", @@ -44002,8 +44196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], @@ -44018,7 +44212,7 @@ { "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/22", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment", @@ -44030,9 +44224,9 @@ "logsource.product": "windows", "refs": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/Neo23x0/DLLRunner", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -44088,7 +44282,7 @@ { "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/10/22", "falsepositive": [ "Renamed SysInternals tool" @@ -44123,7 +44317,7 @@ { "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/01", "falsepositive": [ "Unknown" @@ -44166,8 +44360,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], @@ -44266,7 +44460,7 @@ { "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Unknown" @@ -44310,8 +44504,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -44325,7 +44519,7 @@ { "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", "meta": { - "author": "Florian Roth, Maxime Thiebaut", + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", "creation_date": "2021/08/23", "falsepositive": [ "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" @@ -44335,8 +44529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -44356,63 +44550,6 @@ "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", "value": "Suspicious RazerInstaller Explorer Subprocess" }, - { - "description": "Detects a base64 encoded IEX command string in a process command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_encoded_iex.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", - "value": "Encoded IEX" - }, - { - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_windowsoptionalfeature.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", - "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" - }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { @@ -44449,7 +44586,7 @@ { "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/12/04", "falsepositive": [ "Unknown" @@ -44484,7 +44621,7 @@ { "description": "Detects typical Dridex process patterns", "meta": { - "author": "Florian Roth, oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2019/01/10", "falsepositive": [ "Unlikely" @@ -44545,7 +44682,7 @@ { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Unlikely" @@ -44579,8 +44716,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0488/", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", + "https://attack.mitre.org/software/S0488/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" ], "tags": [ @@ -44597,7 +44734,7 @@ { "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/27", "falsepositive": [ "Unlikely" @@ -44632,9 +44769,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -44646,6 +44783,40 @@ "uuid": "70bc5215-526f-4477-963c-a47a5c9ebd12", "value": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, + { + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/28", + "falsepositive": [ + "Software installers that pull packages from remote systems and execute them" + ], + "filename": "proc_creation_win_powershell_susp_download_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "value": "Suspicious PowerShell Download and Execute Pattern" + }, { "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", "meta": { @@ -44659,10 +44830,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -44703,11 +44874,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], "tags": [ @@ -44730,7 +44901,7 @@ { "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", "meta": { - "author": "Max Altgelt, Tobias Michalski", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Some rare backup scenarios" @@ -44740,9 +44911,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -44765,7 +44936,7 @@ { "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", "meta": { - "author": "Florian Roth, Markus Neis", + "author": "Florian Roth (Nextron Systems), Markus Neis", "creation_date": "2018/08/22", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -44775,8 +44946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], @@ -44793,7 +44964,7 @@ { "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/02", "falsepositive": [ "Unlikely" @@ -44817,7 +44988,7 @@ { "description": "Detects wscript/cscript executions of scripts located in user directories", "meta": { - "author": "Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community", + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "creation_date": "2019/01/16", "falsepositive": [ "Winzip", @@ -44858,7 +45029,7 @@ { "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/22", "falsepositive": [ "Unknown" @@ -44891,7 +45062,7 @@ { "description": "Detects a suspicious script executions from temporary folder", "meta": { - "author": "Florian Roth, Max Altgelt, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "creation_date": "2021/07/14", "falsepositive": [ "Administrative scripts" @@ -44922,9 +45093,9 @@ "value": "Suspicious Script Execution From Temp Folder" }, { - "description": "Detects suspicious FromBase64String expressions in command line arguments", + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/01/29", "falsepositive": [ "Administrative script libraries" @@ -44961,45 +45132,12 @@ } ], "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", - "value": "FromBase64String Command Line" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/20", - "falsepositive": [ - "Legitimate use of AnyDesk from a non-standard folder" - ], - "filename": "proc_creation_win_anydesk_susp_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "value": "Use of Anydesk Remote Access Software from Suspicious Folder" + "value": "Base64 Encoded PowerShell Command Detected" }, { "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/04", "falsepositive": [ "Unknown" @@ -45103,7 +45241,7 @@ { "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/16", "falsepositive": [ "Legitimate use of PsService by an administrator" @@ -45128,7 +45266,7 @@ { "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2021/12/27", "falsepositive": [ "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" @@ -45138,8 +45276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -45150,7 +45288,7 @@ { "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/22", "falsepositive": [ "Unknown" @@ -45174,7 +45312,7 @@ { "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/22", "falsepositive": [ "Unknown" @@ -45207,7 +45345,7 @@ { "description": "Detects reg command lines that disable certain important features of Microsoft Defender", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/22", "falsepositive": [ "Rare legitimate use by administrators to test software (should always be investigated)" @@ -45217,8 +45355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -45267,8 +45405,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -45292,7 +45430,7 @@ { "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/08/24", "falsepositive": [ "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", @@ -45303,10 +45441,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -45329,7 +45467,7 @@ { "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -45362,7 +45500,7 @@ { "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/24", "falsepositive": [ "Very unlikely" @@ -45372,8 +45510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" ], "tags": [ @@ -45406,8 +45544,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -45449,9 +45587,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -45491,7 +45629,7 @@ { "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/26", "falsepositive": [ "Unknown" @@ -45558,7 +45696,7 @@ { "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", "meta": { - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "creation_date": "2022/02/28", "falsepositive": [ "Unknown" @@ -45592,7 +45730,7 @@ { "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", "meta": { - "author": "Christian Burkard, Florian Roth", + "author": "Christian Burkard (Nextron Systems), Florian Roth", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -45694,7 +45832,7 @@ { "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/21", "falsepositive": [ "Legitimate deinstallation by administrative staff" @@ -45718,7 +45856,7 @@ { "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/18", "falsepositive": [ "Unknown" @@ -45761,8 +45899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -45794,7 +45932,7 @@ { "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", "meta": { - "author": "Florian Roth, juju4, keepwatch", + "author": "Florian Roth (Nextron Systems), juju4, keepwatch", "creation_date": "2019/01/16", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -45804,11 +45942,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/egre55/status/1087685529016193025", "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://twitter.com/egre55/status/1087685529016193025", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45857,8 +45995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" ], "tags": [ @@ -45872,7 +46010,7 @@ { "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", "meta": { - "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "creation_date": "2021/12/20", "falsepositive": [ "Administrative activity", @@ -45929,7 +46067,7 @@ { "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/31", "falsepositive": [ "Some installers were seen using this method of creation unfortunately. Filter them in your environment" @@ -46007,8 +46145,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -46050,8 +46188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -46076,7 +46214,7 @@ { "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Legitimate admin scripts" @@ -46109,7 +46247,7 @@ { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -46119,9 +46257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -46155,7 +46293,7 @@ { "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/05", "falsepositive": [ "Administrative activity (rare lookups on current privileges)" @@ -46204,7 +46342,7 @@ { "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/09/03", "falsepositive": [ "Unknown" @@ -46214,8 +46352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", "https://twitter.com/cyb3rops/status/1168863899531132929", + "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" ], "tags": [ @@ -46229,7 +46367,7 @@ { "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/03", "falsepositive": [ "Possible Admin Activity", @@ -46240,9 +46378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -46256,7 +46394,7 @@ { "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/01", "falsepositive": [ "Legitimate use when App-v is deployed" @@ -46287,10 +46425,43 @@ "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", "value": "Use of Scriptrunner.exe" }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski (Nextron Systems)", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "proc_creation_win_msexchange_transport_agent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", + "value": "MSExchange Transport Agent Installation" + }, { "description": "Detects usage of cmdkey to look for cached credentials", "meta": { - "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", + "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Legitimate administrative tasks" @@ -46321,10 +46492,61 @@ "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "value": "Cmdkey Cached Credentials Recon" }, + { + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "value": "Suspicious WMI Execution Via Office Process" + }, { "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -46334,9 +46556,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -46370,7 +46592,7 @@ { "description": "Detects when a user downloads file by using CertOC.exe", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/05/16", "falsepositive": [ "Unknown" @@ -46403,7 +46625,7 @@ { "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/24", "falsepositive": [ "Legitimate files with these rare hacktool names" @@ -46413,12 +46635,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/ohpe/juicy-potato", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", "https://www.localpotato.com/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -46441,7 +46663,7 @@ { "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", "meta": { - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", "creation_date": "2019/03/04", "falsepositive": [ "Unknown" @@ -46485,9 +46707,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", - "https://www.revshells.com/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://www.revshells.com/", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], "tags": [ @@ -46543,7 +46765,7 @@ { "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", "meta": { - "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019/03/22", "falsepositive": [ "Unknown" @@ -46571,7 +46793,7 @@ { "description": "Detects suspicious powershell command line parameters used in Empire", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/04/20", "falsepositive": [ "Other tools that incidentally use the same command line parameters" @@ -46582,8 +46804,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], @@ -46632,7 +46854,7 @@ { "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/12/18", "falsepositive": [ "Another tool that uses the command line switches of PsLogList", @@ -46643,10 +46865,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://twitter.com/EricaZelic/status/1614075109827874817", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], "tags": [ @@ -46681,9 +46903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -46772,7 +46994,7 @@ { "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -46782,8 +47004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], @@ -46817,7 +47039,7 @@ { "description": "Detects usage of wmic to start or stop a service", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Unknown" @@ -46850,7 +47072,7 @@ { "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/02", "falsepositive": [ "Unknown" @@ -46883,7 +47105,7 @@ { "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)", "creation_date": "2022/02/12", "falsepositive": [ "Unknown" @@ -46952,11 +47174,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885570278637678592", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46979,7 +47201,7 @@ { "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -47013,7 +47235,7 @@ { "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021/12/09", "falsepositive": [ "Unknown" @@ -47036,7 +47258,7 @@ { "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/10", "falsepositive": [ "Sometimes used by developers or system administrators for debugging purposes" @@ -47046,8 +47268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], @@ -47069,8 +47291,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -47079,12 +47301,12 @@ ] }, "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "value": "Possible Privilege Escalation via Service Permissions Weakness" + "value": "Potential Privilege Escalation via Service Permissions Weakness" }, { "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Unlikely" @@ -47117,7 +47339,7 @@ { "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/14", "falsepositive": [ "Unlikely" @@ -47140,7 +47362,7 @@ { "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", "meta": { - "author": "Sreeman, Florian Roth, Frack113", + "author": "Sreeman, Florian Roth (Nextron Systems), Frack113", "creation_date": "2020/04/21", "falsepositive": [ "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." @@ -47150,8 +47372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -47175,7 +47397,7 @@ { "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/27", "falsepositive": [ "Unlikely" @@ -47199,7 +47421,7 @@ { "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/21", "falsepositive": [ "Legitimate usage of \".diagcab\" files" @@ -47232,7 +47454,7 @@ { "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "creation_date": "2017/11/10", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_mal_adwind.yml", @@ -47240,8 +47462,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -47272,7 +47494,7 @@ { "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/31", "falsepositive": [ "Another service that uses a single -s command line switch" @@ -47340,7 +47562,7 @@ { "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Unknown" @@ -47350,8 +47572,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -47384,8 +47606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/nt/for.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/ps/foreach-object.htmll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -47411,7 +47633,7 @@ { "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/11", "falsepositive": [ "Legitimate tools that accidentally match on the searched patterns" @@ -47432,7 +47654,7 @@ { "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" @@ -47463,47 +47685,6 @@ "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Stop Windows Service" }, - { - "description": "Detects a base64 encoded FromBase64String keyword in a process command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_encoded_frombase64string.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "value": "Encoded FromBase64String" - }, { "description": "Detect use of TruffleSnout.exe", "meta": { @@ -47541,7 +47722,7 @@ { "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/08", "falsepositive": [ "Unknown" @@ -47585,8 +47766,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], @@ -47629,9 +47810,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -47664,9 +47845,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -47706,7 +47887,7 @@ { "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/29", "falsepositive": [ "Unlikely" @@ -47774,7 +47955,7 @@ "value": "Rundll32 Without Parameters" }, { - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", + "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", "meta": { "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", "creation_date": "2020/10/05", @@ -47787,8 +47968,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" ], "tags": [ @@ -47815,12 +47996,12 @@ } ], "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", - "value": "WSL Execution" + "value": "Arbitrary Command Execution Using WSL" }, { "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", "meta": { - "author": "Florian Roth (rule), Microsoft (idea)", + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "creation_date": "2022/08/04", "falsepositive": [ "Administrative activity" @@ -47897,7 +48078,7 @@ { "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/10", "falsepositive": [ "Other parent processes other than notepad++ using GUP that are not currently identified" @@ -47963,7 +48144,7 @@ { "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/13", "falsepositive": [ "Legitimate usage of office automation via scripting" @@ -47973,8 +48154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/med0x2e/vba2clr", "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -48022,8 +48203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -48046,7 +48227,7 @@ { "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/21", "falsepositive": [ "Unknown" @@ -48106,7 +48287,7 @@ { "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" @@ -48139,7 +48320,7 @@ { "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "meta": { - "author": "Florian Roth (rule), @blu3_team (idea)", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea)", "creation_date": "2019/06/26", "falsepositive": [ "Unknown" @@ -48149,8 +48330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -48164,7 +48345,7 @@ { "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/03/25", "falsepositive": [ "Unknown" @@ -48217,7 +48398,7 @@ { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Unlikely" @@ -48242,7 +48423,7 @@ { "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/14", "falsepositive": [ "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" @@ -48276,7 +48457,7 @@ { "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/02", "falsepositive": [ "Unknown" @@ -48307,61 +48488,10 @@ "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "value": "Wsudo Suspicious Execution" }, - { - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_office_proxy_exec_wmic.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", - "value": "Office Processes Proxy Execution Through WMIC" - }, { "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "FQDNs that start with a number" @@ -48371,8 +48501,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" ], "tags": [ @@ -48395,7 +48525,7 @@ { "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Scripts created by developers and admins", @@ -48427,9 +48557,9 @@ "value": "Curl Usage on Windows" }, { - "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", "meta": { - "author": "Markus Neis", + "author": "Markus Neis, Nasreddine Bencherchali", "creation_date": "2018/08/25", "falsepositive": [ "Unknown" @@ -48457,7 +48587,7 @@ } ], "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "value": "Detection of PowerShell Execution via DLL" + "value": "Potential PowerShell Execution Via DLL" }, { "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", @@ -48495,7 +48625,7 @@ { "description": "Detects suspicious child processes spawned by PowerShell", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2022/04/26", "falsepositive": [ "Unknown" @@ -48540,7 +48670,7 @@ { "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Unknown" @@ -48571,10 +48701,44 @@ "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "value": "Suspicious Net Use Command Combo" }, + { + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "meta": { + "author": "Olaf Hartong", + "creation_date": "2019/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bearlpe_potential_exploitation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bearlpe_potential_exploitation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "value": "Potential BearLPE Exploitation" + }, { "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/09/15", "falsepositive": [ "Unknown" @@ -48584,8 +48748,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -48618,7 +48782,7 @@ { "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -48648,43 +48812,10 @@ "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", "value": "Suspicious CustomShellHost Execution" }, - { - "description": "Detects reg command lines that disables PPL on the LSA process", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_reg_lsass_ppl.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.010" - ] - }, - "related": [ - { - "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", - "value": "Registry Disabling LSASS PPL" - }, { "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate administrative tasks" @@ -48737,54 +48868,10 @@ "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" }, - { - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "meta": { - "author": "Christian Burkard, pH-T", - "creation_date": "2022/03/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_reflective_assembly_load.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027", - "attack.t1620" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "value": "Base64 Encoded Reflective Assembly Load" - }, { "description": "Detects scheduled task creations or modification on a suspicious schedule type", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Legitmate processes that run at logon. Filter according to your environment" @@ -48794,8 +48881,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], @@ -48829,8 +48916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -48895,7 +48982,7 @@ { "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Unknown" @@ -48906,8 +48993,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48927,10 +49014,43 @@ "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", "value": "WMIC Unquoted Services Path Lookup" }, + { + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_iis_appcmd_http_logging.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "value": "Disable Windows IIS HTTP Logging" + }, { "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/22", "falsepositive": [ "Unknown" @@ -48940,8 +49060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -48955,7 +49075,7 @@ { "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/21", "falsepositive": [ "Unknown" @@ -48966,11 +49086,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -49037,7 +49157,7 @@ { "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/06/28", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", @@ -49049,8 +49169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -49059,12 +49179,12 @@ ] }, "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", - "value": "Reg Add RUN Key" + "value": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, { "description": "Detects activity that could be related to Baby Shark malware", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/24", "falsepositive": [ "Unknown" @@ -49208,7 +49328,7 @@ { "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ "Unknown" @@ -49219,8 +49339,8 @@ "logsource.product": "windows", "refs": [ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.revshells.com/", "https://www.php.net/manual/en/features.commandline.php", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -49243,7 +49363,7 @@ { "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/28", "falsepositive": [ "Unknown" @@ -49277,9 +49397,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://ss64.com/bash/rar.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://ss64.com/bash/rar.html", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], "tags": [ @@ -49302,7 +49422,7 @@ { "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/07/17", "falsepositive": [ "Unknown" @@ -49370,7 +49490,7 @@ { "description": "Detects the execution of whoami with suspicious parents or parameters", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/12", "falsepositive": [ "Admin activity", @@ -49382,9 +49502,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -49399,7 +49519,7 @@ { "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/31", "falsepositive": [ "Unknown" @@ -49432,7 +49552,7 @@ { "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/22", "falsepositive": [ "Unknown" @@ -49466,7 +49586,7 @@ { "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/06", "falsepositive": [ "Administrative activity" @@ -49512,8 +49632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -49524,42 +49644,10 @@ "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "value": "Suspicious Service DACL Modification" }, - { - "description": "Detects a Powershell process that contains download commands in its command line string", - "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "value": "PowerShell Download from URL" - }, { "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/08/23", "falsepositive": [ "Unknown" @@ -49582,7 +49670,7 @@ { "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/19", "falsepositive": [ "Unknown" @@ -49606,7 +49694,7 @@ { "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/11", "falsepositive": [ "Unknown" @@ -49640,7 +49728,7 @@ { "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", "falsepositive": [ "Unknown" @@ -49667,7 +49755,7 @@ { "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/18", "falsepositive": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" @@ -49677,8 +49765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" ], "tags": [ @@ -49693,7 +49781,7 @@ { "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", "meta": { - "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Particular web applications may spawn a shell process legitimately" @@ -49737,14 +49825,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49776,7 +49864,7 @@ { "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/28", "falsepositive": [ "Unknown" @@ -49842,7 +49930,7 @@ { "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/22", "falsepositive": [ "Unknown" @@ -49909,12 +49997,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49929,7 +50017,7 @@ { "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", "meta": { - "author": "Elastic (idea), Tobias Michalski", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "creation_date": "2022/05/04", "falsepositive": [ "Unknown" @@ -49964,7 +50052,7 @@ { "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/05/02", "falsepositive": [ "Unknown" @@ -49999,8 +50087,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -50023,7 +50111,7 @@ { "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Unlikely" @@ -50056,7 +50144,7 @@ { "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", "meta": { - "author": "Florian Roth (rule), MSTI (query)", + "author": "Florian Roth (Nextron Systems), MSTI (query)", "creation_date": "2022/10/01", "falsepositive": [ "Unknown" @@ -50114,7 +50202,7 @@ { "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Unknown" @@ -50124,9 +50212,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -50149,7 +50237,7 @@ { "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2023/01/18", "falsepositive": [ "Legitimate sub processes started by Manage Engine ServiceDesk Pro" @@ -50160,8 +50248,8 @@ "logsource.product": "windows", "refs": [ "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" ], "tags": "No established tags" @@ -50172,7 +50260,7 @@ { "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", "meta": { - "author": "Florian Roth, Markus Neis", + "author": "Florian Roth (Nextron Systems), Markus Neis", "creation_date": "2020/02/01", "falsepositive": [ "Unlikely" @@ -50207,9 +50295,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], "tags": [ @@ -50266,7 +50354,7 @@ { "description": "Detects suspicious execution of Regasm/Regsvcs utilities", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/25", "falsepositive": [ "Unknown" @@ -50276,9 +50364,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -50301,7 +50389,7 @@ { "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", "meta": { - "author": "pH-T, Nasreddine Bencherchali (update)", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/27", "falsepositive": [ "Unknown" @@ -50311,10 +50399,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -50334,36 +50422,10 @@ "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, - { - "description": "Detect use of PDQ Deploy remote admin tool", - "meta": { - "author": "frack113", - "creation_date": "2022/10/01", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_pdq_deploy.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", - "https://www.pdq.com/pdq-deploy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" - ] - }, - "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", - "value": "Use of PDQ Deploy Remote Adminstartion Tool" - }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/05", "falsepositive": [ "Unknown" @@ -50395,8 +50457,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" ], "tags": [ @@ -50410,7 +50472,7 @@ { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { - "author": "Matthew Green - @mgreen27, Florian Roth, frack113", + "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "creation_date": "2019/06/15", "falsepositive": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" @@ -50421,10 +50483,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://twitter.com/christophetd/status/1164506034720952320", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -50458,8 +50520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -50482,7 +50544,7 @@ { "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/24", "falsepositive": [ "Other tools that work with encoded scripts in the command line instead of script files" @@ -50537,10 +50599,35 @@ "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", "value": "Harvesting of Wifi Credentials Using netsh.exe" }, + { + "description": "Detects suspicious IIS native-code module installations via command line", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/12/11", + "falsepositive": [ + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + ], + "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "value": "IIS Native-Code Module Command Line Installation" + }, { "description": "Detects scheduled task creations that have suspicious action command and folder combinations", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/15", "falsepositive": [ "Unknown" @@ -50583,8 +50670,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -50607,7 +50694,7 @@ { "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/21", "falsepositive": [ "Benign scheduled tasks creations or executions that happen often during software installations", @@ -50618,8 +50705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -50642,7 +50729,7 @@ { "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/18", "falsepositive": [ "Unknown" @@ -50652,8 +50739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -50677,8 +50764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -50692,7 +50779,7 @@ { "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/07/13", "falsepositive": [ "Unknown" @@ -50725,7 +50812,7 @@ { "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Unknown" @@ -50751,7 +50838,7 @@ { "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/06/12", "falsepositive": [ "Unknown" @@ -50761,8 +50848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" ], "tags": [ @@ -50777,7 +50864,7 @@ { "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019/09/06", "falsepositive": [ "Unknown" @@ -50847,8 +50934,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -50904,7 +50991,7 @@ { "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -50938,7 +51025,7 @@ { "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/27", "falsepositive": [ "Unlikely" @@ -50971,7 +51058,7 @@ { "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", "meta": { - "author": "Florian Roth, Tom Ueltschi", + "author": "Florian Roth (Nextron Systems), Tom Ueltschi", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -51204,9 +51291,9 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], "tags": [ @@ -51257,11 +51344,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -51294,7 +51381,7 @@ { "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/24", "falsepositive": [ "Unknown" @@ -51304,10 +51391,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -51432,7 +51519,7 @@ { "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/05", "falsepositive": [ "Unlikely" @@ -51442,8 +51529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" ], "tags": [ @@ -51463,39 +51550,6 @@ "uuid": "0685b176-c816-4837-8e7b-1216f346636b", "value": "Quarks PwDump Usage" }, - { - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/12", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_ssh_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ] - }, - "related": [ - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", - "value": "Suspicious SSH Usage RDP Tunneling" - }, { "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", "meta": { @@ -51509,9 +51563,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534957360032120833", - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://twitter.com/nas_bench/status/1534957360032120833", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -51601,7 +51655,7 @@ { "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/20", "falsepositive": [ "Unlikely" @@ -51644,8 +51698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -51668,7 +51722,7 @@ { "description": "Detects Archer malware invocation via rundll32", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/06/03", "falsepositive": [ "Unknown" @@ -51805,7 +51859,7 @@ { "description": "Detects Elise backdoor acitivty as used by APT32", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/01/31", "falsepositive": [ "Unknown" @@ -51899,7 +51953,7 @@ { "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/23", "falsepositive": [ "Unknown" @@ -51942,8 +51996,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51974,7 +52028,7 @@ { "description": "Detects suspicious renamed SysInternals DebugView execution", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/28", "falsepositive": [ "Unknown" @@ -52007,7 +52061,7 @@ { "description": "Detects suspicious mshta process patterns", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/17", "falsepositive": [ "Unknown" @@ -52017,8 +52071,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], @@ -52052,8 +52106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -52064,7 +52118,7 @@ { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/13", "falsepositive": [ "Administrative activity" @@ -52098,7 +52152,7 @@ { "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/19", "falsepositive": [ "Unknown" @@ -52123,7 +52177,7 @@ { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/03", "falsepositive": [ "Scripts created by developers and admins" @@ -52133,9 +52187,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], @@ -52167,7 +52221,7 @@ { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -52211,8 +52265,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Tylous/ZipExec", "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" ], "tags": [ @@ -52359,7 +52413,7 @@ { "description": "Detects encoded base64 MZ header in the commandline", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", "falsepositive": [ "Unlikely" @@ -52392,8 +52446,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], @@ -52462,9 +52516,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -52478,7 +52532,7 @@ { "description": "Detects a suspicious copy command to or from an Admin share or remote", "meta": { - "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "creation_date": "2019/12/30", "falsepositive": [ "Administrative scripts" @@ -52488,10 +52542,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -52518,7 +52572,7 @@ { "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/13", "falsepositive": [ "Unknown" @@ -52552,7 +52606,7 @@ { "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/07", "falsepositive": [ "Unknown" @@ -52628,7 +52682,7 @@ { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", "falsepositive": [ "Rare intended use of hidden services" @@ -52679,7 +52733,7 @@ { "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/07", "falsepositive": [ "Unlikely" @@ -52701,7 +52755,7 @@ "value": "DInject PowerShell Cradle CommandLine Flags" }, { - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", "meta": { "author": "Sreeman", "creation_date": "2020/04/17", @@ -52736,9 +52790,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -52761,7 +52815,7 @@ { "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/10/26", "falsepositive": [ "Google Drive", @@ -52772,8 +52826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -52812,7 +52866,7 @@ { "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/02/01", "falsepositive": [ "Unknown" @@ -52939,7 +52993,7 @@ { "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/11", "falsepositive": [ "Unknown" @@ -52957,34 +53011,10 @@ "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", "value": "Suspicious RunAs-Like Flag Combination" }, - { - "description": "Detects Base64 encoded Shellcode", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/11/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_b64_shellcode.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1063072865992523776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "value": "PowerShell Base64 Encoded Shellcode" - }, { "description": "Detects execution of the IEExec utility to download payloads", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/05/16", "falsepositive": [ "Unknown" @@ -53005,7 +53035,7 @@ { "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/11", "falsepositive": [ "Unknown" @@ -53134,7 +53164,7 @@ { "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", "meta": { - "author": "Nasreddine Bencherchali (rule)", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/05/29", "falsepositive": [ "Unknown" @@ -53144,9 +53174,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], "tags": [ @@ -53235,7 +53265,7 @@ { "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/09", "falsepositive": [ "Unknown" @@ -53245,11 +53275,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -53273,7 +53303,7 @@ { "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/20", "falsepositive": [ "Unlikely" @@ -53283,9 +53313,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -53355,6 +53385,30 @@ "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unload" }, + { + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate usage of the capabilities by administartors or users. Filter accordingly" + ], + "filename": "proc_creation_win_powershell_add_windows_capability.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "b36d01a3-ddaf-4804-be18-18a6247adfcd", + "value": "Add New Windows Capability - ProcCreation" + }, { "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "meta": { @@ -53382,7 +53436,7 @@ { "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -53450,10 +53504,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -53497,7 +53551,7 @@ { "description": "Detects suspicious encoded character syntax often used for defense evasion", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/09", "falsepositive": [ "Unknown" @@ -53592,7 +53646,7 @@ { "description": "Detects creation of a scheduled task with a GUID like name", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/31", "falsepositive": [ "Legitimate software naming their tasks as GUIDs" @@ -53602,8 +53656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" ], "tags": [ @@ -53694,7 +53748,7 @@ { "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/12", "falsepositive": [ "Unknown" @@ -53785,7 +53839,7 @@ { "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/26", "falsepositive": [ "Unknown" @@ -53840,9 +53894,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53857,7 +53911,7 @@ { "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unknown" @@ -53960,8 +54014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -53995,9 +54049,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -54044,7 +54098,7 @@ { "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/04/06", "falsepositive": [ "Unknown" @@ -54085,7 +54139,7 @@ { "description": "Detects WMIC executing suspicious or recon commands", "meta": { - "author": "Michael Haag, Florian Roth, juju4, oscd.community", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "creation_date": "2019/01/16", "falsepositive": [ "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" @@ -54095,8 +54149,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], @@ -54121,7 +54175,7 @@ { "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", "falsepositive": [ "Unknown" @@ -54131,8 +54185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" ], "tags": [ @@ -54165,8 +54219,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -54190,7 +54244,7 @@ { "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/12", "falsepositive": [ "Unknown" @@ -54223,7 +54277,7 @@ { "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", "meta": { - "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/07/03", "falsepositive": [ "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", @@ -54369,7 +54423,7 @@ { "description": "Detects powershell scripts that import modules from suspicious directories", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/10", "falsepositive": [ "Unknown" @@ -54541,7 +54595,7 @@ { "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Other tools with the same command line flag combination", @@ -54619,8 +54673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -54634,7 +54688,7 @@ { "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Unlikely" @@ -54644,10 +54698,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nodejs.org/api/cli.html", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -54670,7 +54724,7 @@ { "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019/01/09", "falsepositive": [ "Administrative scripts" @@ -54704,7 +54758,7 @@ { "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -54715,8 +54769,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -54740,7 +54794,7 @@ { "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/11/23", "falsepositive": [ "Unknown" @@ -54750,8 +54804,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54794,8 +54848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -54818,7 +54872,7 @@ { "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Unknown" @@ -54851,7 +54905,7 @@ { "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/30", "falsepositive": [ "Unknown" @@ -54884,9 +54938,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], @@ -54920,9 +54974,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -54936,7 +54990,7 @@ { "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", "meta": { - "author": "Florian Roth, oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2019/01/29", "falsepositive": [ "Legitimate administration" @@ -54971,7 +55025,7 @@ { "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/21", "falsepositive": [ "Unknown" @@ -55028,7 +55082,7 @@ { "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", "meta": { - "author": "Florian Roth, Modexp, Nasreddine Bencherchali (update)", + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/02/18", "falsepositive": [ "Unlikely, because no one should dump the process memory in that way" @@ -55038,12 +55092,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -55079,16 +55133,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -55111,7 +55165,7 @@ { "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/06", "falsepositive": [ "Unknown" @@ -55144,7 +55198,7 @@ { "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/23", "falsepositive": [ "Software installers that run from temporary folders and also install scheduled tasks" @@ -55174,40 +55228,6 @@ "uuid": "9494479d-d994-40bf-a8b1-eea890237021", "value": "Suspicious Add Scheduled Task Parent" }, - { - "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", - "meta": { - "author": "Olaf Hartong", - "creation_date": "2019/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_win10_sched_task_0day.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" - }, { "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", "meta": { @@ -55221,8 +55241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -55242,6 +55262,30 @@ "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", "value": "Trickbot Malware Recon Activity" }, + { + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate usage of appcmd to add new URL rewrite rules" + ], + "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", + "https://twitter.com/malmoeb/status/1616702107242971144", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", + "value": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" + }, { "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", "meta": { @@ -55263,10 +55307,34 @@ "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, + { + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "value": "Powershell AMSI Bypass via .NET Reflection" + }, { "description": "Detects the use of RunXCmd tool for command execution", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/24", "falsepositive": [ "Legitimate use by administrators" @@ -55276,8 +55344,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" ], "tags": [ @@ -55311,9 +55379,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -55346,9 +55414,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ @@ -55384,39 +55452,6 @@ "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "Koadic Execution" }, - { - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "meta": { - "author": "frack113", - "creation_date": "2022/01/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_iis_http_logging.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "value": "Disable Windows IIS HTTP Logging" - }, { "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "meta": { @@ -55464,8 +55499,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -55521,7 +55556,7 @@ { "description": "Detects usage of the wevtutil utility to perform reconnaissance", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Legitmate usage of the utility by administrators to query the event log" @@ -55544,7 +55579,7 @@ { "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/19", "falsepositive": [ "Legitimate use by third party tools in order to investigate installed drivers" @@ -55580,8 +55615,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -55623,8 +55658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -55657,10 +55692,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -55683,7 +55718,7 @@ { "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/20", "falsepositive": [ "Command lines that use the same flags" @@ -55693,8 +55728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" ], "tags": [ @@ -55760,7 +55795,7 @@ { "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/13", "falsepositive": [ "Some false positives may occure with other tools with similar commandlines" @@ -55770,9 +55805,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -55795,7 +55830,7 @@ { "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/24", "falsepositive": [ "Legitimate use of the impacket tools" @@ -55862,8 +55897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55910,7 +55945,7 @@ { "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/10", "falsepositive": [ "Unknown" @@ -55920,8 +55955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -55963,9 +55998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55989,8 +56024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -56013,7 +56048,7 @@ { "description": "Detects the use of NPS a port forwarding tool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/08", "falsepositive": [ "Legitimate use" @@ -56046,7 +56081,7 @@ { "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/02/04", "falsepositive": [ "Very unlikely" @@ -56077,30 +56112,6 @@ "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "Dumpert Process Dumper" }, - { - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2023/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_amsi_null_bits_bypass.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", - "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" - }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { @@ -56202,6 +56213,41 @@ "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "value": "Discover Private Keys" }, + { + "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_encoding_patterns.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", + "value": "Potential Encoded PowerShell Patterns In CommandLine" + }, { "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "meta": { @@ -56239,7 +56285,7 @@ { "description": "Detects commands used by Turla group as reported by ESET in May 2020", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/26", "falsepositive": [ "Unknown" @@ -56282,7 +56328,7 @@ { "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/05/24", "falsepositive": [ "Unknown" @@ -56315,7 +56361,7 @@ { "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/05", "falsepositive": [ "Unknown" @@ -56383,8 +56429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -56407,7 +56453,7 @@ { "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/08/12", "falsepositive": [ "Administrative activity" @@ -56450,9 +56496,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -56475,7 +56521,7 @@ { "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/04", "falsepositive": [ "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" @@ -56508,7 +56554,7 @@ { "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/09/30", "falsepositive": [ "Unlikely" @@ -56518,10 +56564,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -56546,7 +56592,7 @@ { "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", "meta": { - "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali", "creation_date": "2019/01/16", "falsepositive": [ "Inventory tool runs", @@ -56557,9 +56603,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], "tags": [ @@ -56618,7 +56664,7 @@ { "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Legitimate PowerShell scripts" @@ -56652,9 +56698,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.intrinsec.com/apt27-analysis/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -56686,7 +56732,7 @@ { "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -56720,7 +56766,7 @@ { "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/12/27", "falsepositive": [ "Unknown" @@ -56765,8 +56811,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -56799,9 +56845,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56849,7 +56895,7 @@ { "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019/01/16", "falsepositive": [ "High" @@ -56966,7 +57012,7 @@ { "description": "Detects DarkSide Ransomware and helpers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/14", "falsepositive": [ "Unknown", @@ -56977,9 +57023,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -57002,7 +57048,7 @@ { "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/04/06", "falsepositive": [ "Unlikely" @@ -57023,7 +57069,7 @@ { "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", "falsepositive": [ "Unknown" @@ -57046,7 +57092,7 @@ { "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/13", "falsepositive": [ "Unlikely" @@ -57181,7 +57227,7 @@ { "description": "Detects a Windows program executable started from a suspicious folder", "meta": { - "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "creation_date": "2017/11/27", "falsepositive": [ "Exotic software" @@ -57206,7 +57252,7 @@ { "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Unknown" @@ -57249,10 +57295,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -57275,7 +57321,7 @@ { "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/03", "falsepositive": [ "Unknown" @@ -57285,11 +57331,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.joesandbox.com/analysis/443736/0/html", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -57313,7 +57359,7 @@ { "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unknown" @@ -57347,9 +57393,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -57372,7 +57418,7 @@ { "description": "Detects suspicious ways to download files or content using PowerShell", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/24", "falsepositive": [ "Scripts or tools that download files" @@ -57451,7 +57497,7 @@ { "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/23", "falsepositive": [ "Unlikely" @@ -57461,9 +57507,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], @@ -57487,7 +57533,7 @@ { "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/20", "falsepositive": [ "Unknown" @@ -57498,9 +57544,9 @@ "logsource.product": "windows", "refs": [ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -57521,9 +57567,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -57624,9 +57670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], "tags": [ @@ -57647,37 +57693,47 @@ "value": "Suspicious Execution of Powershell with Base64" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", "meta": { - "author": "frack113", - "creation_date": "2022/02/11", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/23", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_anydesk.yml", + "filename": "proc_creation_win_wsl_child_processes_anomalies.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ] }, "related": [ { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "value": "Use of Anydesk Remote Access Software" + "uuid": "2267fe65-0681-42ad-9a6d-46553d3f3480", + "value": "WSL Child Process Anomaly" }, { "description": "Atbroker executing non-deafualt Assistive Technology applications", @@ -57692,8 +57748,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -57761,9 +57817,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57829,9 +57885,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57867,32 +57923,7 @@ } ], "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "value": "Suspicious Execution of SharpView Aka PowerView" - }, - { - "description": "Detects suspicious IIS native-code module installations via command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/11", - "falsepositive": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" - ], - "filename": "proc_creation_win_susp_iss_module_install.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "value": "IIS Native-Code Module Command Line Installation" + "value": "Suspicious Execution of SharpView" }, { "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", @@ -57907,9 +57938,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -57957,7 +57988,7 @@ { "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", "meta": { - "author": "pH-T, Florian Roth", + "author": "pH-T (Nextron Systems), Florian Roth", "creation_date": "2022/04/08", "falsepositive": [ "Unknown" @@ -58009,8 +58040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -58124,7 +58155,7 @@ { "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/06", "falsepositive": [ "System administrator usage" @@ -58158,7 +58189,7 @@ { "description": "Detects a code page switch in command line or batch scripts to a rare language", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019/10/14", "falsepositive": [ "Administrative activity (adjust code pages according to your organisation's region)" @@ -58183,7 +58214,7 @@ { "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/23", "falsepositive": [ "Unknown" @@ -58193,10 +58224,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -58219,7 +58250,7 @@ { "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/24", "falsepositive": [ "Legitimate scripts that use IEX" @@ -58240,7 +58271,7 @@ { "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Unknown" @@ -58273,7 +58304,7 @@ { "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Administrators settings a service to disable via script or cli for testing purposes" @@ -58308,8 +58339,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -58359,7 +58390,7 @@ { "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/02/11", "falsepositive": [ "Legitimate use by administrative staff" @@ -58393,8 +58424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -58417,7 +58448,7 @@ { "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", "meta": { - "author": "FLorian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/21", "falsepositive": [ "Legitimate administrative tasks" @@ -58427,8 +58458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -58451,9 +58482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -58476,7 +58507,7 @@ { "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/12/23", "falsepositive": [ "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" @@ -58486,8 +58517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -58548,8 +58579,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -58572,7 +58603,7 @@ { "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -58616,8 +58647,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -58640,7 +58671,7 @@ { "description": "Detects UAC bypass method using Windows event viewer", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/19", "falsepositive": [ "Unknown" @@ -58650,8 +58681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -58676,7 +58707,7 @@ { "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/04", "falsepositive": [ "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" @@ -58744,8 +58775,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58759,7 +58790,7 @@ { "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unknown" @@ -58793,7 +58824,7 @@ { "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/02/22", "falsepositive": [ "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" @@ -58866,6 +58897,31 @@ "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "value": "Logon Scripts (UserInitMprLogonScript)" }, + { + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/29", + "falsepositive": [ + "Legitimate usage of the features listed in the rule." + ], + "filename": "proc_creation_win_enable_susp_windows_optional_feature.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" + }, { "description": "Detects wmiprvse spawning processes", "meta": { @@ -58902,7 +58958,7 @@ { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/23", "falsepositive": [ "Other legitimate network providers used and not filtred in this rule" @@ -58912,8 +58968,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" ], "tags": [ @@ -58936,7 +58992,7 @@ { "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/27", "falsepositive": [ "Other programs that cause these patterns (please report)" @@ -58946,8 +59002,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58970,7 +59026,7 @@ { "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "creation_date": "2020/10/12", "falsepositive": [ "Unknown" @@ -58980,8 +59036,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" ], "tags": [ @@ -59030,7 +59086,7 @@ { "description": "Execution of a renamed version of the Plink binary", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/06", "falsepositive": [ "Unknown" @@ -59055,7 +59111,7 @@ { "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/31", "falsepositive": [ "Unknown" @@ -59089,7 +59145,7 @@ { "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/02/22", "falsepositive": [ "Unknown" @@ -59099,8 +59155,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" ], "tags": [ @@ -59114,7 +59170,7 @@ { "description": "Detects a suspicious execution from an uncommon folder", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -59124,10 +59180,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -59176,9 +59232,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], "tags": [ @@ -59201,7 +59257,7 @@ { "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", "meta": { - "author": "Florian Roth, oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2020/07/30", "falsepositive": [ "Legitimate setups that use similar flags" @@ -59259,7 +59315,7 @@ { "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", "falsepositive": [ "Unknown" @@ -59282,7 +59338,7 @@ { "description": "Detects RDP session hijacking by using MSTSC shadowing", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/01/24", "falsepositive": [ "Unknown" @@ -59316,7 +59372,7 @@ { "description": "Detects a specific tool and export used by EquationGroup", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/03/04", "falsepositive": [ "Unknown" @@ -59326,9 +59382,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/972186477512839170", - "https://securelist.com/apt-slingshot/84312/", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", + "https://twitter.com/cyb3rops/status/972186477512839170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -59352,7 +59408,7 @@ { "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/10/10", "falsepositive": [ "Unlikely" @@ -59362,9 +59418,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -59375,7 +59431,7 @@ { "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/14", "falsepositive": [ "Another tool that uses the command line switches of Ngrok", @@ -59386,13 +59442,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -59415,7 +59471,7 @@ { "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", "falsepositive": [ "Unknown" @@ -59438,7 +59494,7 @@ { "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Some FP is expected with some installers" @@ -59459,6 +59515,42 @@ "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "value": "Suspicious CLSID Folder Name In Suspicious Locations" }, + { + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "meta": { + "author": "TropChaud", + "creation_date": "2023/01/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rhadamanthys_dll_launch.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/anfam17/status/1607477672057208835", + "https://www.joesandbox.com/analysis/790122/0/html", + "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", + "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rhadamanthys_dll_launch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "value": "Rhadamanthys Stealer Module Launch via Rundll32" + }, { "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", "meta": { @@ -59473,9 +59565,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -59495,57 +59587,6 @@ "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", "value": "Use of FSharp Interpreters" }, - { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", - "value": "Office Applications Spawning Wmi Cli" - }, { "description": "Detects file execution using the msdeploy.exe lolbin", "meta": { @@ -59559,8 +59600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], @@ -59594,8 +59635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -59615,31 +59656,6 @@ "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Suspicious Command With Teams Objects Pathes" }, - { - "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/08/17", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_powershell_amsi_bypass.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", - "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "value": "Powershell AMSI Bypass via .NET Reflection" - }, { "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { @@ -59701,7 +59717,7 @@ { "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/06", "falsepositive": [ "Legitimate use of the UI Accessibility Checker" @@ -59711,9 +59727,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -59770,7 +59786,7 @@ { "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2018/04/06", "falsepositive": [ "Administrative scripts", @@ -59831,9 +59847,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], @@ -59934,9 +59950,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], @@ -59960,7 +59976,7 @@ { "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/11", "falsepositive": [ "Administrative activity", @@ -60019,7 +60035,7 @@ { "description": "Detects suspicious msiexec process starts with web addresses as parameter", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/02/09", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" @@ -60145,7 +60161,7 @@ { "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/11/20", "falsepositive": [ "Unknown" @@ -60155,8 +60171,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -60212,7 +60228,7 @@ { "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/01/04", "falsepositive": [ "Command lines that use the same flags" @@ -60222,8 +60238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" ], "tags": [ @@ -60247,7 +60263,7 @@ { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", "meta": { - "author": "Nasreddine Bencherchali, Tim Shelton", + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "creation_date": "2022/08/08", "falsepositive": [ "Unlikely" @@ -60271,7 +60287,7 @@ { "description": "Detects suspicious PowerShell scripts accessing SAM hives", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/29", "falsepositive": [ "Some rare backup scenarios", @@ -60338,7 +60354,7 @@ { "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/12/19", "falsepositive": [ "Unlikely" @@ -60376,7 +60392,7 @@ { "description": "Detects QBot like process executions", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/01", "falsepositive": [ "Unlikely" @@ -60386,8 +60402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://twitter.com/killamjr/status/1179034907932315648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -60462,11 +60478,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -60569,7 +60585,7 @@ { "description": "Detects process creation with a renamed Msdt.exe", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/06/03", "falsepositive": [ "Unlikely" @@ -60602,7 +60618,7 @@ { "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Unknown" @@ -60627,7 +60643,7 @@ { "description": "Detects the use of NSudo tool for command execution", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022/01/24", "falsepositive": [ "Legitimate use by administrators" @@ -60705,10 +60721,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -60742,8 +60758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -60766,7 +60782,7 @@ { "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/28", "falsepositive": [ "Unknown" @@ -60788,7 +60804,7 @@ { "description": "Detects a suspicious RDP session redirect using tscon.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/17", "falsepositive": [ "Unknown" @@ -60857,7 +60873,7 @@ { "description": "Detects Hurricane Panda Activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/03/04", "falsepositive": [ "Unknown" @@ -60891,7 +60907,7 @@ { "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/03/01", "falsepositive": [ "Unlikely" @@ -60901,8 +60917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60937,8 +60953,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -61037,7 +61053,7 @@ { "description": "Detects command line parameters or strings often used by crypto miners", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/26", "falsepositive": [ "Legitimate use of crypto miners", @@ -61068,6 +61084,30 @@ "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "value": "Windows Crypto Mining Indicators" }, + { + "description": "Detects Base64 encoded Shellcode", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_shellcode.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", + "value": "PowerShell Base64 Encoded Shellcode" + }, { "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", "meta": { @@ -61104,7 +61144,7 @@ { "description": "Detects various anomalies in relation to regsvr32.exe", "meta": { - "author": "Florian Roth, oscd.community, Tim Shelton", + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -61114,8 +61154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -61150,8 +61190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], @@ -61175,7 +61215,7 @@ { "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/13", "falsepositive": [ "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" @@ -61206,10 +61246,51 @@ "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, + { + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_frombase64string.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "value": "PowerShell Base64 Encoded FromBase64String Keyword" + }, { "description": "Detects suspicious PowerShell invocation with a parameter substring", "meta": { - "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "creation_date": "2019/01/16", "falsepositive": [ "Unknown" @@ -61295,8 +61376,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -61319,7 +61400,7 @@ { "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", "meta": { - "author": "@SBousseaden (idea), Christian Burkard (rule)", + "author": "@SBousseaden (idea), Christian Burkard (Nextron Systems) (rule)", "creation_date": "2022/06/02", "falsepositive": [ "Unknown" @@ -61341,16 +61422,16 @@ "value": "Office Directory Traversal CommandLine" }, { - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/28", "falsepositive": [ "Legitimate piping of the password to anydesk", "Some FP could occure with similar tools that uses the same command line '--set-password'" ], "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -61372,12 +61453,12 @@ } ], "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", - "value": "AnyDesk Inline Piped Password" + "value": "AnyDesk Piped Password Via CLI" }, { "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/01/28", "falsepositive": [ "Unknown yet" @@ -61412,7 +61493,7 @@ { "description": "Detects the use of various cli utility related to web request exfiltrating data", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/02", "falsepositive": [ "Unlikely" @@ -61445,7 +61526,7 @@ { "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/06", "falsepositive": [ "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" @@ -61479,8 +61560,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" ], "tags": [ @@ -61521,9 +61602,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -61547,7 +61628,7 @@ { "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/07/31", "falsepositive": [ "Unlikely" @@ -61638,7 +61719,7 @@ { "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)", "creation_date": "2022/02/12", "falsepositive": [ "Unknown" @@ -61691,9 +61772,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -61751,7 +61832,7 @@ { "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/08", "falsepositive": [ "Unknown" @@ -61773,6 +61854,49 @@ "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "value": "DNS ServerLevelPluginDll Install" }, + { + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/26", + "falsepositive": [ + "In development environment where VsCode is used heavily. False positives may occure when developers use task to compile or execute different types of code. Remove or add processes accordingly" + ], + "filename": "proc_creation_win_vscode_child_processes_anomalies.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1618021838407495681", + "https://twitter.com/nas_bench/status/1618021415852335105", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5a3164f2-b373-4152-93cf-090b13c12d27", + "value": "VsCode Child Process Anomaly" + }, { "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", "meta": { @@ -61787,8 +61911,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61817,33 +61941,6 @@ "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, - { - "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/04", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "filename": "proc_creation_win_powershell_defender_base64.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", - "value": "Powershell Defender Base64 MpPreference" - }, { "description": "Detects PsExec service execution via default service image name", "meta": { @@ -61857,8 +61954,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" ], "tags": [ @@ -61882,7 +61979,7 @@ { "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/04", "falsepositive": [ "Legitimate use of one of these tools" @@ -61937,7 +62034,7 @@ { "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/30", "falsepositive": [ "Unlikely" @@ -61980,8 +62077,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -62054,7 +62151,7 @@ { "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/11/10", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" @@ -62064,9 +62161,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -62080,7 +62177,7 @@ { "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -62116,7 +62213,7 @@ { "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/14", "falsepositive": [ "Rare legitimate installation of kernel drivers via sc.exe" @@ -62141,7 +62238,7 @@ { "description": "Detects Ryuk ransomware activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/16", "falsepositive": [ "Unlikely" @@ -62165,7 +62262,7 @@ { "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Unlikely" @@ -62208,8 +62305,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -62246,6 +62343,41 @@ "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", "value": "Office Applications Spawning Wmi Cli Alternate" }, + { + "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", + "meta": { + "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2023/01/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_wmi_classes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1816994b-42e1-4fb1-afd2-134d88184f71", + "value": "PowerShell Base64 Encoded WMI Classes" + }, { "description": "Detects manual service execution (start) via system utilities.", "meta": { @@ -62282,7 +62414,7 @@ { "description": "Detects usage of the SysInternals Procdump utility", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/16", "falsepositive": [ "Legitimate use of procdump by a developer or administrator" @@ -62350,7 +62482,7 @@ { "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ "Unknown" @@ -62457,7 +62589,7 @@ { "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/11", "falsepositive": [ "Unknown" @@ -62585,8 +62717,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" ], "tags": [ @@ -62600,7 +62732,7 @@ { "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/10", "falsepositive": [ "Unknown" @@ -62610,8 +62742,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -62634,7 +62766,7 @@ { "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Unlikely" @@ -62847,11 +62979,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62880,10 +63012,38 @@ "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Change" }, + { + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2021/01/30", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_wmic_security_product_uninstall.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "value": "Potential Tampering With Security Products Via WMIC" + }, { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "creation_date": "2018/03/15", "falsepositive": [ "Unlikely" @@ -62953,8 +63113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" ], "tags": [ @@ -62985,7 +63145,7 @@ { "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/11/24", "falsepositive": [ "Unlikely" @@ -63050,7 +63210,7 @@ { "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/06/02", "falsepositive": [ "Unknown" @@ -63156,7 +63316,7 @@ { "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/18", "falsepositive": [ "Unlikely" @@ -63166,8 +63326,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -63192,7 +63352,7 @@ { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -63259,7 +63419,7 @@ { "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/19", "falsepositive": [ "Legitimate usage of the script by a developer" @@ -63336,10 +63496,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -63373,8 +63533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" ], "tags": [ @@ -63398,8 +63558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -63412,7 +63572,7 @@ { "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" @@ -63468,44 +63628,44 @@ "value": "Suspicious Shells Spawn by SQL Server" }, { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2022/07/06", + "author": "Tim Rauch, Janantha Marasinghe", + "creation_date": "2022/11/08", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", - "level": "medium", + "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1003" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", - "value": "Suspicious Xor PowerShell Command Line" + "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", + "value": "Microsoft IIS Service Account Password Dumped" }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -63539,7 +63699,7 @@ { "description": "Detects the execution of AdvancedRun utility", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/20", "falsepositive": [ "Unknown" @@ -63550,9 +63710,9 @@ "logsource.product": "windows", "refs": [ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -63563,7 +63723,7 @@ { "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/14", "falsepositive": [ "Unlikely" @@ -63573,8 +63733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" ], "tags": [ @@ -63589,7 +63749,7 @@ { "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/08", "falsepositive": [ "Unknown" @@ -63620,7 +63780,7 @@ "value": "Script Interpreter Execution From Suspicious Folder" }, { - "description": "Detects the PowerShell command lines with reversed strings", + "description": "Detects the presenece of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020/10/11", @@ -63632,8 +63792,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -63653,12 +63813,12 @@ } ], "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "value": "Suspicious PowerShell Cmdline" + "value": "Potential PowerShell Obfuscation Via Reversed Commands" }, { "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/29", "falsepositive": [ "Unknown" @@ -63692,7 +63852,7 @@ { "description": "Detects a command used by conti to exfiltrate NTDS", "meta": { - "author": "Max Altgelt, Tobias Michalski", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unknown" @@ -63702,8 +63862,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63794,7 +63954,7 @@ { "description": "Detects a suspicious svchost process start", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/08/15", "falsepositive": [ "Unknown" @@ -63892,7 +64052,7 @@ { "description": "Detects usage of the Sharp Chisel via the commandline arguments", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/05", "falsepositive": [ "Unlikely" @@ -63937,8 +64097,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63962,11 +64122,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -64007,7 +64167,7 @@ { "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Unknown" @@ -64025,10 +64185,34 @@ "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "value": "Parent in Public Folder Suspicious Process" }, + { + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", + "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" + }, { "description": "Detects the use of SharpUp, a tool for local privilege escalation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/20", "falsepositive": [ "Unknown" @@ -64087,8 +64271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -64154,8 +64338,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -64178,7 +64362,7 @@ { "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" @@ -64248,7 +64432,7 @@ { "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -64271,7 +64455,7 @@ { "description": "Detects suspicious Splwow64.exe process without any command line parameters", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -64314,9 +64498,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -64349,8 +64533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -64374,7 +64558,7 @@ { "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", "falsepositive": [ "Unknown" @@ -64397,7 +64581,7 @@ { "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/21", "falsepositive": [ "Unknown" @@ -64441,7 +64625,7 @@ { "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/12/08", "falsepositive": [ "Unknown" @@ -64472,45 +64656,10 @@ "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", "value": "TA505 Dropper Load Pattern" }, - { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2020/10/11", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", - "value": "Encoded PowerShell Command Line" - }, { "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/26", "falsepositive": [ "Unlikely" @@ -64560,7 +64709,7 @@ { "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/20", "falsepositive": [ "Unknown" @@ -64672,7 +64821,7 @@ { "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/08/28", "falsepositive": [ "Unknown" @@ -64757,8 +64906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64864,8 +65013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -64889,7 +65038,7 @@ { "description": "Detects the execution of the PurpleSharp adversary simulation tool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/06/18", "falsepositive": [ "Unlikely" @@ -64932,8 +65081,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -64997,7 +65146,7 @@ { "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" @@ -65044,6 +65193,39 @@ "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", "value": "Suspicious Microsoft OneNote Child Process" }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_anydesk_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "value": "AnyDesk Execution" + }, { "description": "Detects Ryuk Ransomware command lines", "meta": { @@ -65090,8 +65272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -65128,7 +65310,7 @@ { "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/31", "falsepositive": [ "Rare legitimate inline scripting by some administrators" @@ -65158,37 +65340,10 @@ "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, - { - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2021/01/30", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "value": "Wmic Uninstall Security Product" - }, { "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/23", "falsepositive": [ "Domain Controller User Logon", @@ -65222,7 +65377,7 @@ { "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/10/30", "falsepositive": [ "Unlikely, because no one should dump an lsass process memory", @@ -65271,11 +65426,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -65298,7 +65453,7 @@ { "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2018/03/23", "falsepositive": [ "Unknown" @@ -65345,7 +65500,7 @@ { "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", "meta": { - "author": "Nasreddine Bencherchali, X__Junior", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", "creation_date": "2022/11/30", "falsepositive": [ "Legitimate use" @@ -65412,9 +65567,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], "tags": [ @@ -65428,7 +65583,7 @@ { "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/06", "falsepositive": [ "Unknown" @@ -65461,9 +65616,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" @@ -65549,8 +65704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -65582,7 +65737,7 @@ { "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/05/22", "falsepositive": [ "Unknown" @@ -65625,7 +65780,7 @@ { "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2021/05/22", "falsepositive": [ "Weird admins that rename their tools", @@ -65636,8 +65791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], @@ -65661,7 +65816,7 @@ { "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/07", "falsepositive": [ "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" @@ -65671,8 +65826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65721,7 +65876,7 @@ { "description": "Detects suspicious command lines used in Covenant luanchers", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2020/06/04", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_susp_covenant.yml", @@ -65758,10 +65913,42 @@ "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "Covenant Launcher Indicators" }, + { + "description": "Detects usage of a base64 encoded \"IEX\" string in a process command line", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", + "value": "PowerShell Base64 Encoded IEX Keyword" + }, { "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/02/11", "falsepositive": [ "Legitimate deactivation by administrative staff", @@ -65772,8 +65959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" ], "tags": [ @@ -65822,7 +66009,7 @@ { "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019/09/30", "falsepositive": [ "Unknown" @@ -65832,9 +66019,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -65858,7 +66045,7 @@ { "description": "Detects a tscon.exe start as LOCAL SYSTEM", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/17", "falsepositive": [ "Unknown" @@ -65868,8 +66055,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], @@ -65994,7 +66181,7 @@ { "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/12", "falsepositive": [ "Unknown" @@ -66004,8 +66191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -66020,7 +66207,7 @@ { "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (update)", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/23", "falsepositive": [ "Legitimate use of the library for administrative activity" @@ -66058,9 +66245,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -66113,7 +66300,7 @@ { "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/10", "falsepositive": [ "Unlikely" @@ -66191,8 +66378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -66236,8 +66423,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], @@ -66269,7 +66456,7 @@ { "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/01/28", "falsepositive": [ "Unknown yet" @@ -66331,8 +66518,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -66355,7 +66542,7 @@ { "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/16", "falsepositive": [ "Legitimate use by an administrator" @@ -66388,7 +66575,7 @@ { "description": "Detects the execution GMER tool based on image and hash fields.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/05", "falsepositive": [ "Unlikely" @@ -66411,7 +66598,7 @@ { "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/05", "falsepositive": [ "Unknown" @@ -66445,8 +66632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -66503,7 +66690,7 @@ { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/03", "falsepositive": [ "Unknown" @@ -66536,7 +66723,7 @@ { "description": "Detects shell32.dll executing a DLL in a suspicious directory", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/11/24", "falsepositive": [ "Unknown" @@ -66603,7 +66790,7 @@ { "description": "Detects a suspicious child process of userinit", "meta": { - "author": "Florian Roth (rule), Samir Bousseaden (idea)", + "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "creation_date": "2019/06/17", "falsepositive": [ "Administrative scripts" @@ -66647,10 +66834,45 @@ "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", "value": "Potential RDP Session Hijacking Activity" }, + { + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "filename": "proc_creation_win_ssh_port_forward.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "value": "Port Forwarding Attempt Via SSH" + }, { "description": "Detects suspicious Plink tunnel port forwarding to a local port", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/01/19", "falsepositive": [ "Administrative activity using a remote port forwarding to a local port" @@ -66660,8 +66882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" ], "tags": [ @@ -66686,7 +66908,7 @@ { "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", "meta": { - "author": "Florian Roth, John Lambert (idea), elhoim", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "creation_date": "2021/07/14", "falsepositive": [ "Unknown", @@ -66697,10 +66919,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -66714,7 +66936,7 @@ { "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019/02/24", "falsepositive": [ "Unknown" @@ -66739,7 +66961,7 @@ { "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/14", "falsepositive": [ "Unlikely" @@ -66828,7 +67050,7 @@ { "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021/12/09", "falsepositive": [ "Unknown" @@ -66984,8 +67206,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" ], "tags": [ @@ -67044,8 +67266,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -67068,7 +67290,7 @@ { "description": "Detects a suspicious program execution in Outlook temp folder", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/01", "falsepositive": [ "Unknown" @@ -67091,7 +67313,7 @@ { "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019/11/15", "falsepositive": [ "Unknown" @@ -67152,9 +67374,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -67176,7 +67398,7 @@ { "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", "meta": { - "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "creation_date": "2022/01/13", "falsepositive": [ "Unknown" @@ -67207,8 +67429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -67241,7 +67463,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redmimicry.com", + "https://redmimicry.com/posts/redmimicry-winnti/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" ], "tags": [ @@ -67276,7 +67498,7 @@ } ], "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "value": "RedMimicry Winnti Playbook Execute" + "value": "RedMimicry Winnti Playbook Execution" }, { "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", @@ -67315,7 +67537,7 @@ { "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "creation_date": "2019/06/29", "falsepositive": [ "Unknown how many legitimate software products use that method" @@ -67326,9 +67548,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -67342,7 +67564,7 @@ { "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", "meta": { - "author": "Nasreddine Bencherchali, memory-shards", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022/12/24", "falsepositive": [ "Unknown" @@ -67352,10 +67574,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -67488,7 +67710,7 @@ { "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -67512,7 +67734,7 @@ { "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/14", "falsepositive": [ "Legitimate use via a batch script or by an administrator." @@ -67546,7 +67768,7 @@ { "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/25", "falsepositive": [ "Other legitimate \"Windows Terminal\" profiles" @@ -67604,7 +67826,7 @@ { "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/11", "falsepositive": [ "Unknown" @@ -67614,13 +67836,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -67653,9 +67875,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -67676,9 +67898,9 @@ "value": "Conti Backup Database" }, { - "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", "meta": { - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "creation_date": "2020/10/23", "falsepositive": [ "Unlikely" @@ -67688,13 +67910,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -67717,7 +67939,7 @@ { "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2019/10/02", "falsepositive": [ "Unlikely" @@ -67750,7 +67972,7 @@ { "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Unknown" @@ -67761,8 +67983,8 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], @@ -67829,20 +68051,51 @@ "value": "Cscript Visual Basic Script Execution" }, { - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/28", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/22", "falsepositive": [ - "Software installers that pull packages from remote systems and execute them" + "Unlikely" ], - "filename": "proc_creation_win_powershell_download_patterns.yml", + "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.010" + ] + }, + "related": [ + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "value": "LSA PPL Protection Disabled Via Reg.EXE" + }, + { + "description": "Detects a Powershell process that contains download commands in its command line string", + "meta": { + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_download_patterns.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67859,13 +68112,13 @@ "type": "related-to" } ], - "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "value": "Suspicious PowerShell Download and Execute Pattern" + "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", + "value": "PowerShell Download Pattern" }, { "description": "Detects the execution of SecurityXploded Tools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/12/19", "falsepositive": [ "Unlikely" @@ -67875,8 +68128,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" ], "tags": [ @@ -67899,7 +68152,7 @@ { "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/14", "falsepositive": [ "Legitimate usage of the passwords by users via commandline (should be discouraged)", @@ -67910,9 +68163,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67926,7 +68179,7 @@ { "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/12/04", "falsepositive": [ "Unlikely" @@ -68071,8 +68324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -68093,6 +68346,33 @@ "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, + { + "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/04", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_base64_mppreference.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", + "value": "Powershell Base64 Encoded MpPreference Cmdlet" + }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { @@ -68164,7 +68444,7 @@ { "description": "Detects different loaders as described in various threat reports on Lazarus group activity", "meta": { - "author": "Florian Roth, wagga", + "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2020/12/23", "falsepositive": [ "Unknown" @@ -68174,8 +68454,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -68209,9 +68489,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -68225,7 +68505,7 @@ { "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/16", "falsepositive": [ "Unknown" @@ -68235,8 +68515,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -68324,8 +68604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -68358,8 +68638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -68393,8 +68673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -68408,7 +68688,7 @@ { "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/22", "falsepositive": [ "Unknown" @@ -68418,8 +68698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/malcomvetter/CSExec", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" ], "tags": [ @@ -68477,7 +68757,7 @@ { "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/14", "falsepositive": [ "Unknown" @@ -68510,7 +68790,7 @@ { "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/08", "falsepositive": [ "Unknown" @@ -68572,7 +68852,7 @@ { "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Unknown" @@ -68583,9 +68863,9 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -68608,7 +68888,7 @@ { "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/27", "falsepositive": [ "Unknown" @@ -68629,7 +68909,7 @@ { "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", "meta": { - "author": "Florian Roth, Tigzy", + "author": "Florian Roth (Nextron Systems), Tigzy", "creation_date": "2021/11/17", "falsepositive": [ "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" @@ -68705,8 +68985,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -68737,7 +69017,7 @@ { "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/06/19", "falsepositive": [ "Unknown, maybe some security software installer disables these features temporarily" @@ -68761,7 +69041,7 @@ { "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/05", "falsepositive": [ "Unknown" @@ -68784,7 +69064,7 @@ { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ "Unknown" @@ -68794,21 +69074,21 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/calebstewart/CVE-2021-1675", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68900,7 +69180,7 @@ { "description": "This command line patterns found in BlackByte Ransomware operations", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/25", "falsepositive": [ "Unknown" @@ -68963,7 +69243,7 @@ { "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/26", "falsepositive": [ "Unknown" @@ -68984,7 +69264,7 @@ { "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/09", "falsepositive": [ "Unknown" @@ -69008,7 +69288,7 @@ { "description": "Detects the execution of a renamed office binaries", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/20", "falsepositive": [ "Unknown" @@ -69031,7 +69311,7 @@ { "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", "meta": { - "author": "Florian Roth, omkar72, oscd.community", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "creation_date": "2021/02/24", "falsepositive": [ "Admin activity (unclear what they do nowadays with finger.exe)" @@ -69066,7 +69346,7 @@ { "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/01/11", "falsepositive": [ "Unknown" @@ -69136,9 +69416,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -69161,7 +69441,7 @@ { "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", "meta": { - "author": "Nasreddine Bencherchali, memory-shards", + "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022/12/24", "falsepositive": [ "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" @@ -69171,10 +69451,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -69197,7 +69477,7 @@ { "description": "Detects execution of renamed version of PAExec. Often used by attackers", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/22", "falsepositive": [ "Weird admins that rename their tools", @@ -69264,7 +69544,7 @@ { "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/08/30", "falsepositive": [ "Unknown" @@ -69295,45 +69575,10 @@ "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, - { - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/12", - "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" - ], - "filename": "proc_creation_win_susp_ssh_port_forward.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "related": [ - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "value": "Suspicious SSH Port Forwarding" - }, { "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/01", "falsepositive": [ "Legitimate \".xbap\" being executed via \"PresentationHost\"" @@ -69367,7 +69612,7 @@ { "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/13", "falsepositive": [ "Unknown", @@ -69412,7 +69657,7 @@ { "description": "Detects execution of of Dxcap.exe", "meta": { - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/10/26", "falsepositive": [ "Legitimate execution of dxcap.exe by legitimate user" @@ -69422,8 +69667,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -69514,7 +69759,7 @@ { "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/06", "falsepositive": [ "Unknown" @@ -69549,7 +69794,7 @@ { "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/09/20", "falsepositive": [ "Windows installed on non-C drive" @@ -69723,7 +69968,7 @@ { "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2023/01/21", "falsepositive": [ "Unknown" @@ -69755,8 +70000,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" ], "tags": [ @@ -69771,7 +70016,7 @@ { "description": "Detects a command used by conti to find volume shadow backups", "meta": { - "author": "Max Altgelt, Tobias Michalski", + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ "Unknown" @@ -69781,8 +70026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -69863,7 +70108,7 @@ { "description": "Detects suspicious scheduled task creations with commands that are uncommon", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/23", "falsepositive": [ "Software installers that run from temporary folders and also install scheduled tasks" @@ -69896,7 +70141,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports a password dumper", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/09/09", "falsepositive": [ "Unlikely" @@ -69906,8 +70151,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], @@ -69958,8 +70203,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], @@ -69974,7 +70219,7 @@ { "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018/09/09", "falsepositive": [ "Unlikely" @@ -70007,7 +70252,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018/09/09", "falsepositive": [ "Unlikely" @@ -70017,8 +70262,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" @@ -70052,7 +70297,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2021/08/16", "falsepositive": [ "Unlikely" @@ -70086,7 +70331,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018/09/09", "falsepositive": [ "Unlikely" @@ -70098,14 +70343,14 @@ "refs": [ "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -70119,7 +70364,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports ransomware", "meta": { - "author": "Florian Roth, Arnim Rupp", + "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2022/05/12", "falsepositive": [ "Unlikely" @@ -70129,12 +70374,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -70198,84 +70443,6 @@ "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", "value": "Suspicious SQL Query" }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/22", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "filename": "web_apache_threading_error.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_threading_error.yml" - ], - "tags": "No established tags" - }, - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error" - }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Unknown" - ], - "filename": "web_apache_segfault.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "related": [ - { - "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault" - }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "filename": "modsec_mulitple_blocks.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "modsecurity", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/product/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ] - }, - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks" - }, { "description": "Detects when an security threat is detected in Okta.", "meta": { @@ -70290,8 +70457,8 @@ "logsource.product": "okta", "refs": [ "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -70312,8 +70479,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -70346,8 +70513,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -70370,8 +70537,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -70394,8 +70561,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -70418,8 +70585,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -70442,8 +70609,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -70466,8 +70633,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -70500,8 +70667,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -70524,8 +70691,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -70548,8 +70715,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -70572,8 +70739,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -70610,8 +70777,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -70795,10 +70962,10 @@ "logsource.product": "m365", "refs": [ "https://www.sygnia.co/golden-saml-advisory", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -71094,6 +71261,39 @@ "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, + { + "description": "Detects when a new member is added or invited to a github organization.", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/29", + "falsepositive": [ + "Organization approved new members" + ], + "filename": "github_new_org_member.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_org_member.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3908d64a-3c06-4091-b503-b3a94424533b", + "value": "New Github Organization Member Added" + }, { "description": "Detects when a user creates action secret for the organization, environment, codespaces or repository.", "meta": { @@ -71111,7 +71311,10 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_secret_created.yml" ], "tags": [ - "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access", "attack.t1078.004" ] }, @@ -71145,6 +71348,7 @@ ], "tags": [ "attack.impact", + "attack.collection", "attack.t1213.003" ] }, @@ -71161,7 +71365,7 @@ "value": "Github Delete Action Invoked" }, { - "description": "Detects when an organization member or outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.", + "description": "Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.\n", "meta": { "author": "Muhammad Faisal", "creation_date": "2023/01/20", @@ -71174,14 +71378,16 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ + "attack.persistence", + "attack.collection", "attack.t1098.001", - "attack.t1213.003", - "attack.t1098.003" + "attack.t1098.003", + "attack.t1213.003" ] }, "related": [ @@ -71192,6 +71398,101 @@ ], "type": "related-to" }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eaa9ac35-1730-441f-9587-25767bde99d7", + "value": "Github Outside Collaborator Detected" + }, + { + "description": "Detects when a user disables a critical security feature for an organization.", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/29", + "falsepositive": [ + "Approved administrator/owner activities." + ], + "filename": "github_disable_high_risk_configuration.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.persistence", + "attack.t1556" + ] + }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8622c92d-c00e-463c-b09d-fd06166f6794", + "value": "Github High Risk Configuration Disabled" + }, + { + "description": "A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\nThis rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\nit should be validated from GitHub UI becasue the log entry may not provide full context.\n", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/27", + "falsepositive": [ + "Allowed self-hosted runners changes in the envrionment.", + "A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.", + "An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day." + ], + "filename": "github_self_hosted_runner_changes_detected.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" + ], + "tags": [ + "attack.impact", + "attack.discovery", + "attack.collection", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1526", + "attack.t1213.003", + "attack.t1078.004" + ] + }, + "related": [ + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ @@ -71200,15 +71501,49 @@ "type": "related-to" }, { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "eaa9ac35-1730-441f-9587-25767bde99d7", - "value": "Github Outside Collaborator Detected" + "uuid": "f8ed0e8f-7438-4b79-85eb-f358ef2fbebd", + "value": "Github Self Hosted Runner Changes Detected" + }, + { + "description": "Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.\nThis rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.\n", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/27", + "falsepositive": [ + "Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes." + ], + "filename": "github_disabled_outdated_dependency_or_vulnerability.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1195.001" + ] + }, + "related": [ + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "34e1c7d4-0cd5-419d-9f1b-1dad3f61018d", + "value": "Outdated Dependency Or Vulnerability Alert Disabled" }, { "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", @@ -71320,11 +71655,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://github.com/elastic/detection-rules/pull/1267", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -71372,9 +71707,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -71425,8 +71760,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -71629,9 +71964,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -71654,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -71841,13 +72176,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -72573,8 +72908,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], @@ -72806,8 +73141,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], @@ -73071,13 +73406,15 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" ], "tags": [ + "attack.initial_access", "attack.credential_access", - "attack.t1212" + "attack.t1078.004", + "attack.t1110" ] }, "related": [ { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -73104,9 +73441,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", "value": "End User Consent" }, @@ -73129,10 +73476,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" ], "tags": [ + "attack.initial_access", "attack.credential_access", - "attack.t1110" + "attack.t1110", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" }, @@ -73153,9 +73511,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", "value": "App Role Added" }, @@ -73206,7 +73575,8 @@ "attack.credential_access", "attack.t1556", "attack.persistence", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1098" ] }, "related": [ @@ -73216,6 +73586,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", @@ -73335,9 +73712,20 @@ ], "tags": [ "attack.credential_access", - "attack.t1110" + "attack.initial_access", + "attack.t1110", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", "value": "User Access Blocked by Azure Conditional Access" }, @@ -73358,11 +73746,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1078" + "attack.persistence", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", "value": "Temporary Access Pass Added To An Account" }, @@ -73567,9 +73963,18 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0413867-daf3-43dd-9245-734b3a787942", "value": "Bitlocker Key Retrieval" }, @@ -73590,15 +73995,13 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" ], "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access", - "attack.defense_evasion" + "attack.t1552", + "attack.credential_access" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -73650,9 +74053,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" ], "tags": [ - "attack.t1078" + "attack.persistence", + "attack.credential_access", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", "value": "Password Reset By User Account" }, @@ -73673,13 +74087,22 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" ], "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1098" + "attack.t1548", + "attack.t1556" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -73706,9 +74129,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" ], "tags": [ - "attack.t1078" + "attack.initial_access", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", "value": "Users Authenticating To Other Azure AD Tenants" }, @@ -73800,8 +74233,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -73828,13 +74261,13 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" ], "tags": [ - "attack.t1098", + "attack.t1098.001", "attack.persistence" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -74021,11 +74454,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74109,13 +74542,14 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -74199,9 +74633,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ - "attack.t1078" + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", "value": "Successful Authentications From Countries You Do Not Operate Out Of" }, @@ -74307,9 +74753,18 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", "value": "Device Registration or Join Without MFA" }, @@ -74388,9 +74843,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", "value": "App Granted Microsoft Permissions" }, @@ -74413,7 +74878,9 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1548" + "attack.persistence", + "attack.t1548", + "attack.t1556" ] }, "related": [ @@ -74423,6 +74890,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", @@ -74478,9 +74952,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", "value": "App Granted Privileged Delegated Or App Permissions" }, @@ -74603,7 +75088,9 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1548" + "attack.persistence", + "attack.t1548", + "attack.t1556" ] }, "related": [ @@ -74613,6 +75100,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", @@ -74660,7 +75154,7 @@ ], "tags": [ "attack.privilege_escalation", - "attack.defense_evasion", + "attack.persistence", "attack.t1078.004" ] }, @@ -74694,9 +75188,19 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1078" + "attack.privilege_escalation", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11c767ae-500b-423b-bae3-b234450736ed", "value": "Users Added to Global or Device Admin Roles" }, @@ -74751,9 +75255,18 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", "value": "Sign-ins by Unknown Devices" }, @@ -74775,7 +75288,10 @@ ], "tags": [ "attack.initial_access", - "attack.t1078.004" + "attack.credential_access", + "attack.t1078.004", + "attack.t1110", + "attack.t1621" ] }, "related": [ @@ -74785,6 +75301,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", @@ -74808,6 +75331,7 @@ ], "tags": [ "attack.privilege_escalation", + "attack.initial_access", "attack.t1078.004" ] }, @@ -74866,7 +75390,10 @@ ], "tags": [ "attack.initial_access", - "attack.t1078.004" + "attack.credential_access", + "attack.t1078.004", + "attack.t1110", + "attack.t1621" ] }, "related": [ @@ -74876,6 +75403,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", @@ -74898,19 +75432,11 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1484" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ] }, - "related": [ - { - "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, @@ -74960,11 +75486,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74992,8 +75518,10 @@ ], "tags": [ "attack.t1528", + "attack.t1078.004", "attack.persistence", - "attack.credential_access" + "attack.credential_access", + "attack.privilege_escalation" ] }, "related": [ @@ -75003,6 +75531,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", @@ -75022,11 +75557,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -75114,9 +75649,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ - "attack.t1078" + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", "value": "Failed Authentications From Countries You Do Not Operate Out Of" }, @@ -75137,14 +75684,23 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" ], "tags": [ - "attack.t1528", "attack.persistence", - "attack.credential_access" + "attack.credential_access", + "attack.privilege_escalation", + "attack.t1552", + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -75168,11 +75724,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -75228,8 +75784,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -75268,7 +75824,9 @@ ], "tags": [ "attack.persistence", - "attack.t1098.003" + "attack.privilege_escalation", + "attack.t1098.003", + "attack.t1078" ] }, "related": [ @@ -75297,10 +75855,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -75363,9 +75921,18 @@ ], "tags": [ "attack.privilege_escalation", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", "value": "PIM Approvals And Deny Elevation" }, @@ -75383,11 +75950,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -75415,9 +75982,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", "value": "Delegated Permissions Granted For All Users" }, @@ -75612,7 +76189,10 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ - "attack.t1078.004" + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1556.006" ] }, "related": [ @@ -75622,6 +76202,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", @@ -75645,9 +76232,18 @@ ], "tags": [ "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", "value": "Sign-ins from Non-Compliant Devices" }, @@ -75725,13 +76321,22 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" ], "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.t1098" + "attack.t1548", + "attack.t1556" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -75842,9 +76447,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.credential_access", + "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7091372f-623c-4293-bc37-20c32b3492be", "value": "End User Consent Blocked" }, @@ -75866,10 +76481,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" ], "tags": [ - "attack.credential_access", - "attack.t1110" + "attack.initial_access", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", "value": "Account Disabled or Blocked for Sign in Attempts" }, @@ -75948,11 +76572,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75977,11 +76601,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -76001,10 +76625,2174 @@ "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "modsecurity", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, + { + "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/03/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21978_vmware_view_planner_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", + "value": "CVE-2021-21978 Exploitation Attempt" + }, + { + "description": "Detects Windows Webshells that use GET requests via access logs", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2017/02/19", + "falsepositive": [ + "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", + "User searches in search boxes of the respective website" + ], + "filename": "web_win_webshells_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", + "value": "Windows Webshell Strings" + }, + { + "description": "Detects exploitation attempts on WebLogic servers", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/11/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_14882_weblogic_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://isc.sans.edu/diary/26734", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.14882" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", + "value": "Oracle WebLogic Exploit CVE-2020-14882" + }, + { + "description": "Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection", + "meta": { + "author": "Sittikorn S, Nuttakorn T", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_26084_confluence_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26084_confluence_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", + "value": "Potential CVE-2021-26084 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_sonicwall_jarrewrite_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6f55f047-112b-4101-ad32-43913f52db46", + "value": "SonicWall SSL/VPN Jarrewrite Exploit" + }, + { + "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/03", + "falsepositive": [ + "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" + ], + "filename": "web_exchange_exploitation_hafnium.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", + "value": "Exchange Exploitation Used by HAFNIUM" + }, + { + "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/12/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_solarwinds_supernova_webshell.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", + "value": "Solarwinds SUPERNOVA Webshell Access" + }, + { + "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_2894_weblogic_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.t1505.003", + "cve.2018.2894" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", + "value": "Oracle WebLogic Exploit" + }, + { + "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://dmaasland.github.io/posts/citrix.html", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://support.citrix.com/article/CTX276688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", + "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" + }, + { + "description": "Detects a successful Grafana path traversal exploitation", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/08", + "falsepositive": [ + "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" + ], + "filename": "web_cve_2021_43798_grafana.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", + "value": "Grafana Path Traversal Exploitation CVE-2021-43798" + }, + { + "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/12", + "falsepositive": [ + "Legitimate apps the use these paths" + ], + "filename": "web_jndi_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" + ], + "tags": "No established tags" + }, + "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", + "value": "JNDIExploit Pattern" + }, + { + "description": "Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/12/11", + "falsepositive": [ + "Vulnerability Scanners" + ], + "filename": "web_cve_2021_27905_apache_solr_exploit.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/murataydemir/CVE-2021-27905", + "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", + "https://twitter.com/sec715/status/1373472323538362371", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_27905_apache_solr_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.27905" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", + "value": "Potential CVE-2021-27905 Exploitation Attempt" + }, + { + "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2022_27925_exploit.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://www.yang99.top/index.php/archives/82/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_27925_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.27925" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", + "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" + }, + { + "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/29", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.36804" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", + "value": "Atlassian Bitbucket Command Injection Via Archive API" + }, + { + "description": "Detects SQL Injection attempts via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2020/02/22", + "falsepositive": [ + "Java scripts and CSS Files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_sql_injection_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", + "value": "SQL Injection Strings" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "web_exchange_owassrf_poc_exploitation.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", + "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" + }, + { + "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_26814_wzuh_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978", + "cve.2021.26814" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", + "value": "Exploitation of CVE-2021-26814 in Wazuh" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/22", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_exchange_owassrf_exploitation.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", + "value": "Potential OWASSRF Exploitation Attempt - Webserver" + }, + { + "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/31", + "falsepositive": [ + "Serious issues with a configuration or plugin" + ], + "filename": "web_nginx_core_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_nginx_core_dump.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", + "value": "Nginx Core Dump" + }, + { + "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/29", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22893_pulse_secure_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", + "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" + }, + { + "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", + "meta": { + "author": "Subhash Popuri (@pbssubhash)", + "creation_date": "2021/08/25", + "falsepositive": [ + "Scanning from Nuclei", + "Unknown" + ], + "filename": "web_cve_2010_5278_exploitation_attempt.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2010_5278_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", + "value": "CVE-2010-5278 Exploitation Attempt" + }, + { + "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", + "meta": { + "author": "James Ahearn", + "creation_date": "2019/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_source_code_enumeration.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", + "value": "Source Code Enumeration Detection by Keyword" + }, + { + "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_5902_f5_bigip.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://support.f5.com/csp/article/K52145254", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", + "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" + }, + { + "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/24", + "falsepositive": [ + "OVA uploads to your VSphere appliance" + ], + "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://f5.pm/go-59627.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", + "value": "CVE-2021-21972 VSphere Exploitation" + }, + { + "description": "Detects possible exploitation activity or bugs in a web application", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Unstable application", + "Application that misuses the response codes" + ], + "filename": "web_multiple_susp_resp_codes_single_source.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_multiple_susp_resp_codes_single_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", + "value": "Multiple Suspicious Resp Codes Caused by Single Client" + }, + { + "description": "Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/27", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_46169_cacti_exploitation_attempt.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/0xf4n9x/CVE-2022-46169", + "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", + "https://github.com/rapid7/metasploit-framework/pull/17407", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.46169" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", + "value": "Potential CVE-2022-46169 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j_fields.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", + "value": "Log4j RCE CVE-2021-44228 in Fields" + }, + { + "description": "Detects access to DEWMODE webshell as described in FIREEYE report", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/02/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_unc2546_dewmode_php_webshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", + "value": "DEWMODE Webshell Access" + }, + { + "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.exploit-db.com/exploits/47297", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", + "value": "Pulse Secure Attack CVE-2019-11510" + }, + { + "description": "Detects possible Java payloads in web access logs", + "meta": { + "author": "frack113, Harjot Singh, \"@cyb3rjy0t\" (update)", + "creation_date": "2022/06/04", + "falsepositive": [ + "Legitimate apps" + ], + "filename": "web_java_payload_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" + ], + "tags": [ + "cve.2022.26134", + "cve.2021.26084" + ] + }, + "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", + "value": "Java Payload Strings" + }, + { + "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_28480_exchange_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", + "value": "Exchange Exploitation CVE-2021-28480" + }, + { + "description": "Detects XSS attempts injected via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2021/08/15", + "falsepositive": [ + "JavaScripts,CSS Files and PNG files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_xss_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/payloadbox/xss-payload-list", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", + "value": "Cross Site Scripting Strings" + }, + { + "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_2109_weblogic_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2021.2109" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "687f6504-7f44-4549-91fc-f07bab065821", + "value": "Oracle WebLogic Exploit CVE-2021-2109" + }, + { + "description": "Detects path traversal exploitation attempts", + "meta": { + "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", + "creation_date": "2021/09/25", + "falsepositive": [ + "Happens all the time on systems exposed to the Internet", + "Internal vulnerability scanners" + ], + "filename": "web_path_traversal_exploitation_attempt.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", + "value": "Path Traversal Exploitation Attempts" + }, + { + "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/11/17", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", + "value": "Sitecore Pre-Auth RCE CVE-2021-42237" + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/19", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", + "value": "Apache Spark Shell Command Injection - Weblogs" + }, + { + "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_susp_useragents.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", + "value": "Suspicious User-Agents Related To Recon Tools" + }, + { + "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners", + "Legitimate access to the URI" + ], + "filename": "web_cve_2022_31659_vmware_rce.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", + "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" + }, + { + "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/12/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", + "value": "Fortinet CVE-2018-13379 Exploitation" + }, + { + "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", + "meta": { + "author": "Bhabesh Raj, Florian Roth", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_22123_fortinet_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22123_fortinet_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", + "value": "Fortinet CVE-2021-22123 Exploitation" + }, + { + "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", + "meta": { + "author": "Florian Roth (Nextron Systems), Rich Warren", + "creation_date": "2021/08/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", + "value": "Exchange ProxyShell Pattern" + }, + { + "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", + "meta": { + "author": "Florian Roth (Nextron Systems), Rich Warren", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell_successful.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml" + ], + "tags": [ + "attack.initial_access" + ] + }, + "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", + "value": "Successful Exchange ProxyShell Attack" + }, + { + "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/04", + "falsepositive": [ + "Web applications that use the same URL parameters as ReGeorg" + ], + "filename": "web_webshell_regeorg.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", + "value": "Webshell ReGeorg Detection Via Web Logs" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", + "value": "Log4j RCE CVE-2021-44228 Generic" + }, + { + "description": "Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/20", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_44877_exploitation_attempt.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://seclists.org/fulldisclosure/2023/Jan/1", + "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.44877" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1b2eeb27-949b-4704-8bfa-d8e5cfa045a1", + "value": "Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877" + }, + { + "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_3398_confluence.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", + "value": "Confluence Exploitation CVE-2019-3398" + }, + { + "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", + "meta": { + "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", + "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" + }, + { + "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.20090", + "cve.2021.20091" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", + "value": "Arcadyan Router Exploitations" + }, + { + "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_28188_terramaster_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.28188" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", + "value": "TerraMaster TOS CVE-2020-28188" + }, + { + "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", + "meta": { + "author": "Bhabesh Raj, Tim Shelton", + "creation_date": "2020/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_10148_solarwinds_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://kb.cert.org/vuls/id/843464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_10148_solarwinds_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", + "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" + }, + { + "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/09/24", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22005_vmware_file_upload.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22005_vmware_file_upload.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", + "value": "VMware vCenter Server File Upload CVE-2021-22005" + }, + { + "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", + "meta": { + "author": "daffainfo, Florian Roth", + "creation_date": "2021/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_41773_apache_path_traversal.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://twitter.com/ptswarm/status/1445376079548624899", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_41773_apache_path_traversal.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", + "value": "CVE-2021-41773 Exploitation Attempt" + }, + { + "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2014_6287_hfs_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.t1505.003", + "cve.2014.6287" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", + "value": "Rejetto HTTP File Server RCE" + }, + { + "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", + "meta": { + "author": "frack113", + "creation_date": "2021/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "web_iis_tilt_shortname_scan.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", + "value": "Successful IIS Shortname Fuzzing Scan" + }, + { + "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners" + ], + "filename": "web_cve_2022_31656_auth_bypass.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", + "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" + }, + { + "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.3452" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", + "value": "Cisco ASA FTD Exploit CVE-2020-3452" + }, + { + "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", + "meta": { + "author": "Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)", + "creation_date": "2021/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_adselfservice.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml" + ], + "tags": "No established tags" + }, + "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", + "value": "ADSelfService Exploitation" + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/02/29", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_msexchange.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", + "value": "CVE-2020-0688 Exchange Exploitation via Web Log" + }, + { + "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/06", + "falsepositive": [ + "Legitimate application and websites that use windows paths in their URL" + ], + "filename": "web_susp_windows_path_uri.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_windows_path_uri.yml" + ], + "tags": [ + "attack.persistence", + "attack.exfiltration", + "attack.t1505.003" + ] + }, + "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", + "value": "Suspicious Windows Strings In URI" + }, + { + "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", + "meta": { + "author": "Arnim Rupp, Florian Roth", + "creation_date": "2020/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_19781_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://isc.sans.edu/diary/25686", + "https://support.citrix.com/article/CTX267679", + "https://support.citrix.com/article/CTX267027", + "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_19781_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", + "value": "Citrix Netscaler Attack CVE-2019-19781" + }, + { + "description": "Detects CVE-2020-0688 Exploitation attempts", + "meta": { + "author": "NVISO", + "creation_date": "2020/02/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_exchange_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/Ridter/cve-2020-0688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", + "value": "CVE-2020-0688 Exploitation Attempt" + }, + { + "description": "Detects SSTI attempts sent via GET requests in access logs", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/14", + "falsepositive": [ + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_ssti_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", + "value": "Server Side Template Injection Strings" + }, + { + "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", + "meta": { + "author": "frack113", + "creation_date": "2021/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "web_cve_2021_26858_iis_rce.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml" + ], + "tags": "No established tags" + }, + "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", + "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" + }, + { + "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", + "meta": { + "author": "Sittikorn S, Nuttakorn Tungpoonsup", + "creation_date": "2021/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", + "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" + }, { "description": "Detects suspicious user agent strings used in APT malware in proxy logs", "meta": { - "author": "Florian Roth, Markus Neis", + "author": "Florian Roth (Nextron Systems), Markus Neis", "creation_date": "2019/11/12", "falsepositive": [ "Old browsers" @@ -76015,7 +78803,7 @@ "logsource.product": "No established product", "refs": [ "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_apt.yml" ], "tags": [ "attack.command_and_control", @@ -76037,7 +78825,7 @@ { "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/08", "falsepositive": [ "Unknown" @@ -76048,7 +78836,7 @@ "logsource.product": "No established product", "refs": [ "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ "attack.command_and_control", @@ -76070,7 +78858,7 @@ { "description": "Detects user agent and URI paths used by empire agents", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/13", "falsepositive": [ "Valid requests with this exact user agent to server scripts of the defined names" @@ -76081,7 +78869,7 @@ "logsource.product": "No established product", "refs": [ "https://github.com/BC-SECURITY/Empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml" ], "tags": [ "attack.defense_evasion", @@ -76104,7 +78892,7 @@ { "description": "Detects Bitsadmin connections to domains with uncommon TLDs", "meta": { - "author": "Florian Roth, Tim Shelton", + "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2019/03/07", "falsepositive": [ "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" @@ -76116,7 +78904,7 @@ "refs": [ "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ "attack.command_and_control", @@ -76149,7 +78937,7 @@ { "description": "Detects Turla ComRAT patterns", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/26", "falsepositive": [ "Unknown" @@ -76160,7 +78948,7 @@ "logsource.product": "No established product", "refs": [ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_turla_comrat.yml" ], "tags": [ "attack.defense_evasion", @@ -76184,7 +78972,7 @@ { "description": "Detects HTTP requests used by Chafer malware", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/31", "falsepositive": [ "Unknown" @@ -76195,7 +78983,7 @@ "logsource.product": "No established product", "refs": [ "https://securelist.com/chafer-used-remexi-malware/89538/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_chafer_malware.yml" ], "tags": [ "attack.command_and_control", @@ -76217,7 +79005,7 @@ { "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/22", "falsepositive": [ "Unlikely" @@ -76230,7 +79018,7 @@ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ "attack.initial_access", @@ -76252,7 +79040,7 @@ { "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/08", "falsepositive": [ "Unknown" @@ -76263,7 +79051,7 @@ "logsource.product": "No established product", "refs": [ "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_frameworks.yml" ], "tags": [ "attack.command_and_control", @@ -76285,7 +79073,7 @@ { "description": "Detects WebDav DownloadCradle", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/04/06", "falsepositive": [ "Administrative scripts that download files from the Internet", @@ -76298,7 +79086,7 @@ "logsource.product": "No established product", "refs": [ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml" ], "tags": [ "attack.command_and_control", @@ -76320,7 +79108,7 @@ { "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/11/08", "falsepositive": [ "Software downloads" @@ -76331,7 +79119,7 @@ "logsource.product": "No established product", "refs": [ "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_dyndns.yml" ], "tags": [ "attack.defense_evasion", @@ -76373,7 +79161,7 @@ "logsource.product": "No established product", "refs": [ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_onedrive.yml" ], "tags": [ "attack.defense_evasion", @@ -76396,7 +79184,7 @@ { "description": "Detects suspicious malformed user agent strings in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/08", "falsepositive": [ "Unknown" @@ -76407,7 +79195,7 @@ "logsource.product": "No established product", "refs": [ "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp.yml" ], "tags": [ "attack.command_and_control", @@ -76429,7 +79217,7 @@ { "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/05", "falsepositive": [ "Legitimate use of Telegram bots in the company" @@ -76439,10 +79227,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ "attack.defense_evasion", @@ -76473,7 +79261,7 @@ { "description": "Detects executable downloads from suspicious remote systems", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/13", "falsepositive": [ "All kind of software downloads" @@ -76483,7 +79271,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml" ], "tags": [ "attack.initial_access", @@ -76515,7 +79303,7 @@ { "description": "Detects suspicious user agent strings used by malware in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/08", "falsepositive": [ "Unknown" @@ -76526,11 +79314,12 @@ "logsource.product": "No established product", "refs": [ "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://perishablepress.com/blacklist/ua-2013.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ "attack.command_and_control", @@ -76552,7 +79341,7 @@ { "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/10", "falsepositive": [ "Unknown" @@ -76562,7 +79351,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml" ], "tags": [ "attack.command_and_control", @@ -76605,9 +79394,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ "attack.exfiltration", @@ -76629,7 +79418,7 @@ { "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/22", "falsepositive": [ "Web vulnerability scanners" @@ -76641,7 +79430,7 @@ "refs": [ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_exploitation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ "attack.initial_access", @@ -76663,7 +79452,7 @@ { "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/21", "falsepositive": [ "Unknown" @@ -76675,7 +79464,7 @@ "refs": [ "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ "attack.command_and_control", @@ -76707,7 +79496,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml" ], "tags": [ "attack.command_and_control", @@ -76729,7 +79518,7 @@ { "description": "Detects URL pattern used by iOS Implant", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/08/30", "falsepositive": [ "Unknown" @@ -76741,7 +79530,7 @@ "refs": [ "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://twitter.com/craiu/status/1167358457344925696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ios_implant.yml" ], "tags": [ "attack.execution", @@ -76790,7 +79579,7 @@ { "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/05/06", "falsepositive": [ "Unknown" @@ -76801,7 +79590,7 @@ "logsource.product": "No established product", "refs": [ "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml" ], "tags": [ "attack.defense_evasion", @@ -76824,7 +79613,7 @@ { "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/12/05", "falsepositive": [ "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" @@ -76835,7 +79624,7 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/domain/paste.ee/relations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_raw_paste_service_access.yml" ], "tags": [ "attack.command_and_control", @@ -76886,7 +79675,7 @@ "refs": [ "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ "attack.discovery", @@ -76908,7 +79697,7 @@ { "description": "Detects download of certain file types from hosts in suspicious TLDs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/11/07", "falsepositive": [ "All kinds of software downloads" @@ -76919,10 +79708,10 @@ "logsource.product": "No established product", "refs": [ "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ "attack.initial_access", @@ -76954,7 +79743,7 @@ { "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/02/08", "falsepositive": [ "Unlikely" @@ -76965,7 +79754,7 @@ "logsource.product": "No established product", "refs": [ "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml" ], "tags": [ "attack.command_and_control" @@ -76989,7 +79778,7 @@ "refs": [ "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_amazon.yml" ], "tags": [ "attack.defense_evasion", @@ -77012,7 +79801,7 @@ { "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/04/15", "falsepositive": [ "Unknown" @@ -77023,7 +79812,7 @@ "logsource.product": "No established product", "refs": [ "https://breakdev.org/pwndrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pwndrop.yml" ], "tags": [ "attack.command_and_control", @@ -77072,7 +79861,7 @@ "logsource.product": "No established product", "refs": [ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_ocsp.yml" ], "tags": [ "attack.defense_evasion", @@ -77095,7 +79884,7 @@ { "description": "Detects Windows PowerShell Web Access", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/13", "falsepositive": [ "Administrative scripts that download files from the Internet", @@ -77107,7 +79896,7 @@ "logsource.product": "No established product", "refs": [ "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_powershell_ua.yml" ], "tags": [ "attack.defense_evasion", @@ -77141,7 +79930,7 @@ "logsource.product": "No established product", "refs": [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_java_class_download.yml" ], "tags": [ "attack.initial_access" @@ -77153,7 +79942,7 @@ { "description": "Detects Baby Shark C2 Framework communication patterns", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/06/09", "falsepositive": [ "Unknown" @@ -77164,7 +79953,7 @@ "logsource.product": "No established product", "refs": [ "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_baby_shark.yml" ], "tags": [ "attack.command_and_control", @@ -77186,7 +79975,7 @@ { "description": "Detects suspicious user agent strings user by hack tools in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/08", "falsepositive": [ "Unknown" @@ -77196,9 +79985,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ "attack.initial_access", @@ -77233,7 +80022,7 @@ "logsource.product": "No established product", "refs": [ "Internal research from Florian Roth", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_apt40.yml" ], "tags": [ "attack.command_and_control", @@ -77275,7 +80064,7 @@ "logsource.product": "No established product", "refs": [ "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ursnif_malware_c2_url.yml" ], "tags": [ "attack.initial_access", @@ -77308,7 +80097,7 @@ { "description": "Detects suspicious empty user agent strings in proxy logs", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/08", "falsepositive": [ "Unknown" @@ -77319,7 +80108,7 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/Carlos_Perez/status/883455096645931008", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_empty_ua.yml" ], "tags": [ "attack.defense_evasion", @@ -77342,7 +80131,7 @@ { "description": "Detects a flashplayer update from an unofficial location", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/10/25", "falsepositive": [ "Unknown flash download locations" @@ -77353,7 +80142,7 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml" ], "tags": [ "attack.initial_access", @@ -77383,2092 +80172,6 @@ "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", "value": "Flash Player Update from Suspicious Location" }, - { - "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/03/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", - "https://paper.seebug.org/1495/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", - "value": "CVE-2021-21978 Exploitation Attempt" - }, - { - "description": "Detects Windows Webshells that use GET requests via access logs", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2017/02/19", - "falsepositive": [ - "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", - "User searches in search boxes of the respective website" - ], - "filename": "web_win_webshells_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://bad-jubies.github.io/RCE-NOW-WHAT/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", - "value": "Windows Webshell Strings" - }, - { - "description": "Detects exploitation attempts on WebLogic servers", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/11/02", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_14882_weblogic_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", - "https://isc.sans.edu/diary/26734", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.14882" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", - "value": "Oracle WebLogic Exploit CVE-2020-14882" - }, - { - "description": "Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection", - "meta": { - "author": "Sittikorn S, Nuttakorn T", - "creation_date": "2022/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_26084_confluence_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", - "value": "Potential CVE-2021-26084 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_sonicwall_jarrewrite_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6f55f047-112b-4101-ad32-43913f52db46", - "value": "SonicWall SSL/VPN Jarrewrite Exploit" - }, - { - "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/03", - "falsepositive": [ - "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" - ], - "filename": "web_exchange_exploitation_hafnium.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", - "value": "Exchange Exploitation Used by HAFNIUM" - }, - { - "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/12/17", - "falsepositive": [ - "Unknown" - ], - "filename": "web_solarwinds_supernova_webshell.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.anquanke.com/post/id/226029", - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", - "value": "Solarwinds SUPERNOVA Webshell Access" - }, - { - "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/07/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2018_2894_weblogic_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/LandGrey/CVE-2018-2894", - "https://twitter.com/pyn3rd/status/1020620932967223296", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.t1505.003", - "cve.2018.2894" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", - "value": "Oracle WebLogic Exploit" - }, - { - "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", - "https://dmaasland.github.io/posts/citrix.html", - "https://support.citrix.com/article/CTX276688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", - "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" - }, - { - "description": "Detects a successful Grafana path traversal exploitation", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/08", - "falsepositive": [ - "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" - ], - "filename": "web_cve_2021_43798_grafana.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", - "https://github.com/search?q=CVE-2021-43798", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", - "value": "Grafana Path Traversal Exploitation CVE-2021-43798" - }, - { - "description": "Detects exploitation attempt using the JDNIExploiit Kit", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/12", - "falsepositive": [ - "Legitimate apps the use these paths" - ], - "filename": "web_jndi_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", - "https://githubmemory.com/repo/FunctFan/JNDIExploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" - ], - "tags": "No established tags" - }, - "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", - "value": "JNDIExploit Pattern" - }, - { - "description": "Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/12/11", - "falsepositive": [ - "Vulnerability Scanners" - ], - "filename": "web_cve_2021_27905_apache_solr_exploit.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/Al1ex4/status/1382981479727128580", - "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", - "https://github.com/murataydemir/CVE-2021-27905", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://twitter.com/sec715/status/1373472323538362371", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.27905" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", - "value": "Potential CVE-2021-27905 Exploitation Attempt" - }, - { - "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2022_27925_exploit.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.27925" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", - "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" - }, - { - "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/29", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.36804" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", - "value": "Atlassian Bitbucket Command Injection Via Archive API" - }, - { - "description": "Detects SQL Injection attempts via GET requests in access logs", - "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali", - "creation_date": "2020/02/22", - "falsepositive": [ - "Java scripts and CSS Files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_sql_injection_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://github.com/payloadbox/sql-injection-payload-list", - "https://brightsec.com/blog/sql-injection-payloads/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", - "value": "SQL Injection Strings" - }, - { - "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "web_exchange_owassrf_poc_exploitation.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", - "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" - }, - { - "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_26814_wzuh_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978", - "cve.2021.26814" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", - "value": "Exploitation of CVE-2021-26814 in Wazuh" - }, - { - "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/22", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_exchange_owassrf_exploitation.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_exploitation.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", - "value": "Potential OWASSRF Exploitation Attempt - Webserver" - }, - { - "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/31", - "falsepositive": [ - "Serious issues with a configuration or plugin" - ], - "filename": "web_nginx_core_dump.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "related": [ - { - "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", - "value": "Nginx Core Dump" - }, - { - "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/29", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", - "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" - }, - { - "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", - "meta": { - "author": "Subhash Popuri (@pbssubhash)", - "creation_date": "2021/08/25", - "falsepositive": [ - "Scanning from Nuclei", - "Unknown" - ], - "filename": "web_cve_2010_5278_exploitation_attempt.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", - "value": "CVE-2010-5278 Exploitation Attempt" - }, - { - "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", - "meta": { - "author": "James Ahearn", - "creation_date": "2019/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "web_source_code_enumeration.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", - "value": "Source Code Enumeration Detection by Keyword" - }, - { - "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/05", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_5902_f5_bigip.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://support.f5.com/csp/article/K52145254", - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", - "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" - }, - { - "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/02/24", - "falsepositive": [ - "OVA uploads to your VSphere appliance" - ], - "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://f5.pm/go-59627.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", - "value": "CVE-2021-21972 VSphere Exploitation" - }, - { - "description": "Detects possible exploitation activity or bugs in a web application", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/02/19", - "falsepositive": [ - "Unstable application", - "Application that misuses the response codes" - ], - "filename": "web_multiple_susp_resp_codes_single_source.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", - "value": "Multiple Suspicious Resp Codes Caused by Single Client" - }, - { - "description": "Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/27", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_46169_cacti_exploitation_attempt.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/rapid7/metasploit-framework/pull/17407", - "https://github.com/0xf4n9x/CVE-2022-46169", - "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.46169" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", - "value": "Potential CVE-2022-46169 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j_fields.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", - "value": "Log4j RCE CVE-2021-44228 in Fields" - }, - { - "description": "Detects access to DEWMODE webshell as described in FIREEYE report", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_unc2546_dewmode_php_webshell.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", - "value": "DEWMODE Webshell Access" - }, - { - "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/11/18", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/47297", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", - "value": "Pulse Secure Attack CVE-2019-11510" - }, - { - "description": "Detects possible Java payloads in web access logs", - "meta": { - "author": "frack113, Harjot Singh, \"@cyb3rjy0t\" (update)", - "creation_date": "2022/06/04", - "falsepositive": [ - "Legitimate apps" - ], - "filename": "web_java_payload_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" - ], - "tags": [ - "cve.2022.26134", - "cve.2021.26084" - ] - }, - "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", - "value": "Java Payload Strings" - }, - { - "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/14", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_28480_exchange_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", - "value": "Exchange Exploitation CVE-2021-28480" - }, - { - "description": "Detects XSS attempts injected via GET requests in access logs", - "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali", - "creation_date": "2021/08/15", - "falsepositive": [ - "JavaScripts,CSS Files and PNG files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_xss_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", - "https://github.com/payloadbox/xss-payload-list", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", - "value": "Cross Site Scripting Strings" - }, - { - "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2021.2109" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "687f6504-7f44-4549-91fc-f07bab065821", - "value": "Oracle WebLogic Exploit CVE-2021-2109" - }, - { - "description": "Detects path traversal exploitation attempts", - "meta": { - "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", - "creation_date": "2021/09/25", - "falsepositive": [ - "Happens all the time on systems exposed to the Internet", - "Internal vulnerability scanners" - ], - "filename": "web_path_traversal_exploitation_attempt.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", - "value": "Path Traversal Exploitation Attempts" - }, - { - "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/17", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", - "value": "Sitecore Pre-Auth RCE CVE-2021-42237" - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/19", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", - "value": "Apache Spark Shell Command Injection - Weblogs" - }, - { - "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", - "meta": { - "author": "Nasreddine Bencherchali, Tim Shelton", - "creation_date": "2022/07/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_susp_useragents.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", - "value": "Suspicious User-Agents Related To Recon Tools" - }, - { - "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners", - "Legitimate access to the URI" - ], - "filename": "web_cve_2022_31659_vmware_rce.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", - "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" - }, - { - "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/12/08", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", - "value": "Fortinet CVE-2018-13379 Exploitation" - }, - { - "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", - "meta": { - "author": "Bhabesh Raj, Florian Roth", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_22123_fortinet_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", - "value": "Fortinet CVE-2021-22123 Exploitation" - }, - { - "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", - "meta": { - "author": "Florian Roth, Rich Warren", - "creation_date": "2021/08/07", - "falsepositive": [ - "Unknown" - ], - "filename": "web_exchange_proxyshell.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", - "value": "Exchange ProxyShell Pattern" - }, - { - "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", - "meta": { - "author": "Florian Roth, Rich Warren", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "web_exchange_proxyshell_successful.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" - ], - "tags": [ - "attack.initial_access" - ] - }, - "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", - "value": "Successful Exchange ProxyShell Attack" - }, - { - "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/04", - "falsepositive": [ - "Web applications that use the same URL parameters as ReGeorg" - ], - "filename": "web_webshell_regeorg.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/sensepost/reGeorg", - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", - "value": "Webshell ReGeorg Detection Via Web Logs" - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", - "value": "Log4j RCE CVE-2021-44228 Generic" - }, - { - "description": "Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2023/01/20", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_44877_exploitation_attempt.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/", - "https://seclists.org/fulldisclosure/2023/Jan/1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_44877_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.44877" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1b2eeb27-949b-4704-8bfa-d8e5cfa045a1", - "value": "Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877" - }, - { - "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/26", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_3398_confluence.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", - "value": "Confluence Exploitation CVE-2019-3398" - }, - { - "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", - "meta": { - "author": "Florian Roth, Max Altgelt, Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", - "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" - }, - { - "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", - "https://www.tenable.com/security/research/tra-2021-13", - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.20090", - "cve.2021.20091" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", - "value": "Arcadyan Router Exploitations" - }, - { - "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.28188" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", - "value": "TerraMaster TOS CVE-2020-28188" - }, - { - "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", - "meta": { - "author": "Bhabesh Raj, Tim Shelton", - "creation_date": "2020/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_10148_solarwinds_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.cert.org/vuls/id/843464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", - "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" - }, - { - "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/09/24", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22005_vmware_file_upload.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", - "https://kb.vmware.com/s/article/85717", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", - "value": "VMware vCenter Server File Upload CVE-2021-22005" - }, - { - "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", - "meta": { - "author": "daffainfo, Florian Roth", - "creation_date": "2021/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_41773_apache_path_traversal.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", - "value": "CVE-2021-41773 Exploitation Attempt" - }, - { - "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2014_6287_hfs_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", - "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.t1505.003", - "cve.2014.6287" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", - "value": "Rejetto HTTP File Server RCE" - }, - { - "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", - "meta": { - "author": "frack113", - "creation_date": "2021/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "web_iis_tilt_shortname_scan.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/19525", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", - "value": "Successful IIS Shortname Fuzzing Scan" - }, - { - "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners" - ], - "filename": "web_cve_2022_31656_auth_bypass.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", - "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" - }, - { - "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.3452" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", - "value": "Cisco ASA FTD Exploit CVE-2020-3452" - }, - { - "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", - "meta": { - "author": "Tobias Michalski, Max Altgelt", - "creation_date": "2021/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_adselfservice.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" - ], - "tags": "No established tags" - }, - "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", - "value": "ADSelfService Exploitation" - }, - { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/02/29", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_msexchange.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", - "value": "CVE-2020-0688 Exchange Exploitation via Web Log" - }, - { - "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/06", - "falsepositive": [ - "Legitimate application and websites that use windows paths in their URL" - ], - "filename": "web_susp_windows_path_uri.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" - ], - "tags": [ - "attack.persistence", - "attack.exfiltration", - "attack.t1505.003" - ] - }, - "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", - "value": "Suspicious Windows Strings In URI" - }, - { - "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", - "meta": { - "author": "Arnim Rupp, Florian Roth", - "creation_date": "2020/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_19781_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://isc.sans.edu/diary/25686", - "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://support.citrix.com/article/CTX267027", - "https://support.citrix.com/article/CTX267679", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", - "value": "Citrix Netscaler Attack CVE-2019-19781" - }, - { - "description": "Detects CVE-2020-0688 Exploitation attempts", - "meta": { - "author": "NVISO", - "creation_date": "2020/02/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_exchange_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/Ridter/cve-2020-0688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", - "value": "CVE-2020-0688 Exploitation Attempt" - }, - { - "description": "Detects SSTI attempts sent via GET requests in access logs", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/14", - "falsepositive": [ - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_ssti_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/payloadbox/ssti-payloads", - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", - "value": "Server Side Template Injection Strings" - }, - { - "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", - "meta": { - "author": "frack113", - "creation_date": "2021/08/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "web_cve_2021_26858_iis_rce.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" - ], - "tags": "No established tags" - }, - "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", - "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" - }, - { - "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", - "meta": { - "author": "Sittikorn S, Nuttakorn Tungpoonsup", - "creation_date": "2021/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", - "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" - }, { "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", "meta": { @@ -79538,6 +80241,47 @@ "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", "value": "MacOS Emond Launch Daemon" }, + { + "description": "Detects possible malicious execution of JXA in-memory via OSAScript", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_jxa_in_memory_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://redcanary.com/blog/applescript/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml" + ], + "tags": [ + "attack.t1059.002", + "attack.t1059.007", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f1408a58-0e94-4165-b80a-da9f96cf6fc3", + "value": "JXA In-memory Execution Via OSAScript" + }, { "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", "meta": { @@ -79562,6 +80306,40 @@ "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", "value": "Security Software Discovery - MacOs" }, + { + "description": "Detects potential suspicious run-only executions compiled using OSACompile", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_osacompile_runonly_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://ss64.com/osx/osacompile.html", + "https://redcanary.com/blog/applescript/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" + ], + "tags": [ + "attack.t1059.002", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9b652-d8ed-4697-89a2-a1186ee680ac", + "value": "OSACompile Run-Only Execution" + }, { "description": "Detects attempts to use screencapture to collect macOS screenshots", "meta": { @@ -79575,8 +80353,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -79587,6 +80365,41 @@ "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", "value": "Screen Capture - macOS" }, + { + "description": "Detects possible collection of data from the clipboard via execution of the osascript binary", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_macos_clipboard_data_via_osascript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml" + ], + "tags": [ + "attack.collection", + "attack.execution", + "attack.t1115", + "attack.t1059.002" + ] + }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7794fa3c-edea-4cff-bec7-267dd4770fd7", + "value": "Clipboard Data Collection Via OSAScript" + }, { "description": "Detects usage of system utilities to discover files and directories", "meta": { @@ -79624,6 +80437,7 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://redcanary.com/blog/applescript/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], @@ -79832,7 +80646,7 @@ { "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", "falsepositive": [ "Unknown" @@ -79990,8 +80804,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -80050,6 +80864,57 @@ "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", "value": "Suspicious MacOS Firmware Activity" }, + { + "description": "Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_susp_microsoft_office_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_microsoft_office_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059.002", + "attack.t1137.002", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "69483748-1525-4a6c-95ca-90dc8d431b68", + "value": "Suspicious Microsoft Office Child Process" + }, { "description": "Detect file time attribute change to hide new or changes to existing files", "meta": { @@ -80321,8 +81186,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -80379,9 +81244,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -80484,7 +81349,7 @@ { "description": "Detects passwords dumps from Keychain", "meta": { - "author": "Tim Ismilyaev, oscd.community, Florian Roth", + "author": "Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)", "creation_date": "2020/10/19", "falsepositive": [ "Legitimate administration activities" @@ -80553,10 +81418,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -80575,9 +81440,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -80598,9 +81463,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -80621,8 +81486,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -80964,8 +81829,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -81014,8 +81879,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/insmod", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -81074,8 +81939,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", "https://github.com/berdav/CVE-2021-4034", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -81110,8 +81975,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/import", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -81193,10 +82058,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -81255,8 +82120,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -81417,7 +82282,7 @@ { "description": "Detects command line parameter very often used with coin miners", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/09", "falsepositive": [ "Other tools that use a --cpu-priority flag" @@ -81693,7 +82558,7 @@ { "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/01/23", "falsepositive": [ "Admin activity (especially in /tmp folders)", @@ -81835,8 +82700,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://linux.die.net/man/1/xwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -81893,8 +82758,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_debugfs_usage.yml" ], "tags": [ @@ -81927,10 +82792,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://linux.die.net/man/1/chage", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -82055,9 +82920,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -82082,7 +82947,7 @@ { "description": "Detects relevant commands often related to malware or hacking activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/12/12", "falsepositive": [ "Admin activity" @@ -82158,9 +83023,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -82194,8 +83059,8 @@ "logsource.product": "linux", "refs": [ "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -82208,7 +83073,7 @@ { "description": "Detects shellshock expressions in log files", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/14", "falsepositive": [ "Unknown" @@ -82266,7 +83131,7 @@ { "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/04/09", "falsepositive": [ "Unknown" @@ -82300,7 +83165,7 @@ { "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/04/05", "falsepositive": [ "Unknown" @@ -82330,10 +83195,35 @@ "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "value": "Symlink Etc Passwd" }, + { + "description": "Detects the presence of \"bpf_probe_write_user\" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.", + "meta": { + "author": "Red Canary (idea), Nasreddine Bencherchali", + "creation_date": "2023/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_potential_susp_ebpf_activity.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion" + ] + }, + "uuid": "0fadd880-6af3-4610-b1e5-008dc3a11b8a", + "value": "Potential Suspicious BPF Activity - Linux" + }, { "description": "Detects specific commands commonly used to remove or empty the syslog", "meta": { - "author": "Max Altgelt", + "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021/09/10", "falsepositive": [ "Log rotation" @@ -82366,7 +83256,7 @@ { "description": "Detects buffer overflow attempts in Unix system log files", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/01", "falsepositive": [ "Unknown" @@ -82399,7 +83289,7 @@ { "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/04/02", "falsepositive": [ "Unknown" @@ -82432,7 +83322,7 @@ { "description": "Detects suspicious log entries in Linux log files", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/25", "falsepositive": [ "Unknown" @@ -82465,8 +83355,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/useradd", - "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -82531,7 +83421,7 @@ { "description": "Detects suspicious command sequence that JexBoss", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/08/24", "falsepositive": [ "Unknown" @@ -82587,7 +83477,7 @@ { "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", "meta": { - "author": "Christian Burkard", + "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021/05/05", "falsepositive": [ "Rare temporary workaround for library misconfiguration" @@ -82612,7 +83502,7 @@ { "description": "Detects suspicious shell commands used in various exploit codes (see references)", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/08/21", "falsepositive": [ "Unknown" @@ -82622,10 +83512,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -82693,8 +83583,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -82717,7 +83607,7 @@ { "description": "Detects suspicious session with two users present", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/03", "falsepositive": [ "Unknown" @@ -82750,7 +83640,7 @@ { "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/07/05", "falsepositive": [ "Unknown" @@ -82783,7 +83673,7 @@ { "description": "Detects relevant ClamAV messages", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/01", "falsepositive": [ "Unknown" @@ -82882,7 +83772,7 @@ { "description": "Detects suspicious failed logins with different user accounts from a single source system", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/16", "falsepositive": [ "Terminal servers", @@ -82907,7 +83797,7 @@ { "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/08/24", "falsepositive": [ "Unknown" @@ -82940,7 +83830,7 @@ { "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/06/30", "falsepositive": [ "Unknown" @@ -82974,7 +83864,7 @@ { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/15", "falsepositive": [ "Unlikely" @@ -82984,9 +83874,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -83018,7 +83908,7 @@ { "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/02/20", "falsepositive": [ "Unknown" @@ -83117,7 +84007,7 @@ { "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Creation of legitimate files in sudoers.d folder part of administrator work" @@ -83150,7 +84040,7 @@ { "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Unlikely" @@ -83173,7 +84063,7 @@ { "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Unlikely" @@ -83217,8 +84107,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -83241,7 +84131,7 @@ { "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/11/03", "falsepositive": [ "Legitimate use of ngrok" @@ -83309,7 +84199,7 @@ { "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/16", "falsepositive": [ "Unknown" @@ -83330,7 +84220,7 @@ { "description": "Detects process connections to a Monero crypto mining pool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/26", "falsepositive": [ "Legitimate use of crypto miners" @@ -83351,7 +84241,7 @@ { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/15", "falsepositive": [ "Unlikely" @@ -83361,9 +84251,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -83476,7 +84366,7 @@ { "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Unlikely" @@ -83500,7 +84390,7 @@ { "description": "Detects usage of \"vim\" and it's sibilings as a GTFOBin to execute and proxy command and binary execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", "falsepositive": [ "Unknown" @@ -83510,9 +84400,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -83526,7 +84416,7 @@ { "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/14", "falsepositive": [ "Legitimate software that uses these patterns" @@ -83571,7 +84461,7 @@ { "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", "falsepositive": [ "Unknown" @@ -83652,7 +84542,7 @@ { "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate administration activities" @@ -83751,10 +84641,45 @@ "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", "value": "Python Spawning Pretty TTY" }, + { + "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2023/01/18", + "falsepositive": [ + "Network administrators" + ], + "filename": "proc_creation_lnx_iptables_flush_ufw.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", + "https://blogs.blackberry.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3be619f4-d9ec-4ea8-a173-18fdd01996ab", + "value": "Flush Iptables Ufw Chain" + }, { "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/03", "falsepositive": [ "Unknown" @@ -83797,7 +84722,7 @@ { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Scripts created by developers and admins" @@ -83842,7 +84767,7 @@ { "description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", "falsepositive": [ "Unknown" @@ -83852,8 +84777,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -83878,8 +84803,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/userdel", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -83927,7 +84852,7 @@ { "description": "Detects command line parameters or strings often used by crypto miners", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/10/26", "falsepositive": [ "Legitimate use of crypto miners" @@ -83981,7 +84906,7 @@ { "description": "Detects installation of suspicious packages using system installation utilities", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/03", "falsepositive": [ "Legitimate administration activities" @@ -84070,6 +84995,40 @@ "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, + { + "description": "Detects attempts to force stop the ufw using ufw-init", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2023/01/18", + "falsepositive": [ + "Network administrators" + ], + "filename": "proc_creation_lnx_disable_ufw.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "84c9e83c-599a-458a-a0cb-0ecce44e807a", + "value": "Ufw Force Stop Using Ufw-Init" + }, { "description": "Detects enumeration of local network configuration", "meta": { @@ -84097,7 +85056,7 @@ { "description": "Detects a suspicious curl process start on linux with set useragent options", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Scripts created by developers and admins", @@ -84131,7 +85090,7 @@ { "description": "Detects suspicious sub processes of web server processes", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (update)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/10/15", "falsepositive": [ "Web applications that invoke Linux command line tools" @@ -84189,7 +85148,7 @@ { "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate administration activities" @@ -84199,8 +85158,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -84233,8 +85192,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -84267,8 +85226,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -84309,7 +85268,7 @@ { "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", "meta": { - "author": "pH-T", + "author": "pH-T (Nextron Systems)", "creation_date": "2022/07/26", "falsepositive": [ "Legitimate administration activities" @@ -84386,8 +85345,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/groupdel", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], @@ -84411,7 +85370,7 @@ { "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Legitimate administration activities" @@ -84445,7 +85404,7 @@ { "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", "falsepositive": [ "Unknown" @@ -84455,9 +85414,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -84471,7 +85430,7 @@ { "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/14", "falsepositive": [ "Legitimate software that uses these patterns" @@ -84504,7 +85463,7 @@ { "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Scripts created by developers and admins", @@ -84535,6 +85494,40 @@ "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, + { + "description": "Detects usage of the \"touch\" process in service file.", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2023/01/11", + "falsepositive": [ + "Admin changing date of files." + ], + "filename": "proc_creation_lnx_touch_susp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "31545105-3444-4584-bebf-c466353230d2", + "value": "Touch Suspicious Service File" + }, { "description": "Detects enumeration of local or remote network services.", "meta": { @@ -84559,10 +85552,35 @@ "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", "value": "Linux Network Service Scanning" }, + { + "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_cp_passwd_or_shadow_tmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", + "value": "Copy Passwd Or Shadow From TMP Path" + }, { "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Legitimate administration activities" @@ -84585,7 +85603,7 @@ { "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", "meta": { - "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "author": "Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021/10/15", "falsepositive": [ "Log rotation." @@ -84618,7 +85636,7 @@ { "description": "Detects java process spawning suspicious children", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/03", "falsepositive": [ "Unknown" @@ -84675,7 +85693,7 @@ { "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Administrator interacting with immutable files (e.g. for instance backups)." @@ -84718,8 +85736,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -84770,9 +85788,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -84807,7 +85825,7 @@ { "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/15", "falsepositive": [ "Unknown" @@ -84863,17 +85881,20 @@ { "description": "Detects known hacktool execution based on image name", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/03", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_lnx_hack_tools.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/pathtofile/bad-bpf", + "https://github.com/carlospolop/PEASS-ng", "Internal Research", + "https://github.com/Gui774ume/ebpfkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -84881,7 +85902,33 @@ ] }, "uuid": "a015e032-146d-4717-8944-7a1884122111", - "value": "HackTool Execution" + "value": "Linux HackTool Execution" + }, + { + "description": "Detects common command used to enable bpf kprobes tracing", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_bpf_kprob_tracing_enabled.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", + "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "7692f583-bd30-4008-8615-75dab3f08a99", + "value": "Enable BPF Kprobes Tracing" }, { "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", @@ -84916,6 +85963,41 @@ "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "value": "File Deletion" }, + { + "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_mount_hidepid.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", + "https://blogs.blackberry.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1564" + ] + }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ec52985a-d024-41e3-8ff6-14169039a0b3", + "value": "Mount Execution With Hidepid Parameter" + }, { "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", "meta": { @@ -84929,8 +86011,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -84953,7 +86035,7 @@ { "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate administration activities" @@ -84963,8 +86045,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -84987,7 +86069,7 @@ { "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", "meta": { - "author": "Florian Roth", + "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/06/20", "falsepositive": [ "Legitimate administration activities" @@ -85020,7 +86102,7 @@ { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/03", "falsepositive": [ "Unknown" @@ -85087,7 +86169,7 @@ { "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/20", "falsepositive": [ "Unlikely" @@ -85097,9 +86179,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -85166,8 +86248,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -85181,7 +86263,7 @@ { "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", "meta": { - "author": "Nasreddine Bencherchali", + "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Unlikely" @@ -85227,5 +86309,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230123 + "version": 20230202 }